Messages

1

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: March 22, 2020, 06:01:54 pm »

Any ideas relating to firewall rules?

Not sure why it's only this service that has a problem.

2

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: March 12, 2020, 10:48:50 pm »

I'm using Radarr (https://radarr.video/).

Unfortunately still having issues. Any ideas as to how to add an exception to the firewall?

FYI I've had this exact same setup with PFSense and OpenVPN before I switched over to OPNSense & WireGuard, and every service worked previously.

3

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: March 05, 2020, 02:33:54 pm »

Thanks for your response. I have tried using netcat as you suggested - please see below:

Server

Code: [Select]

netcat -l -p 7879 -vvv
Listening on [0.0.0.0] (family 0, port 7879)
Connection from 192.168.4.10 54822 received!
Test. This Works
Client

Code: [Select]

netcat 192.168.1.220 7879 -v
192.168.1.220: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.1.220] 7879 (?) open
Test. This Works

4

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 29, 2020, 10:12:58 pm »

Thanks for your response.

To be honest, I'm not sure if I can answer those questions since I just followed some various tutorials. As for the outbound NAT rule, I believe I initially had to create it so that my remote devices could access the internet.

I have removed both the port forwarding rules & the outbound NAT rule (I disabled them).

The good news is that the VPN still works (can ping and access various IPs), however the same issue persists (accessing service on port 9000 works, but 7879 doesn't). Firewall on Site B gives the same "Default Deny Rule" when accessing the service at 7879.

5

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 29, 2020, 05:29:39 pm »

Gentle bump

6

German - Deutsch / Re: Wireguard wg0 deny

« on: February 26, 2020, 12:52:55 am »

Hi, I'm experiencing the same problems. Can someone please assist? How did you solve this?

I started a thread here: https://forum.opnsense.org/index.php?topic=15889.0

By translating German to English, it seems as though you deleted an interface? If so, which one?

7

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 23, 2020, 08:37:14 pm »

Just wanted to know if you had any more ideas? I can't seem to get this working.

8

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 18, 2020, 10:08:48 pm »

Not sure I entirely understand the question.

When accessing the service directly from Site B - by going from a computer at 192.168.4.167, in the web browser, and entering 192.168.1.220:7879, it doesn't work (receive those "deny" messages in the firewall). Accessing the same IP (192.168.1.220) using the same computer at Site B using a different port (9000) works.

9

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 18, 2020, 03:37:21 pm »

I have added a new rule on Site B to allow all for "out" (as well as "in"). See screenshot here: https://imgur.com/a/UjNlEZ3.

Unfortunately, still receiving the Default deny rule in the Live View.

10

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 17, 2020, 07:34:38 pm »

I'm not entirely sure to be honest. Without the interface, the firewall logs show denied when using port 7879, but allowed when using port 9000 - see screenshots below (taken from Site B's firewall logs):

https://imgur.com/a/Kzyq78I

With the interface, I don't see any denied entries in the log.

11

20.1 Legacy Series / Re: Strange WireGuard Site-to-Site Behaviour

« on: February 17, 2020, 05:28:43 pm »

Site A

https://imgur.com/a/hbwAi0A

Site B

https://imgur.com/a/1m41RmW

12

20.1 Legacy Series / Strange WireGuard Site-to-Site Behaviour

« on: February 16, 2020, 07:37:18 pm »

Hi,

I recently setup a Site-to-Site VPN using WireGuard with the following configuration:

Site A --> Main Site
Site B --> Remote Site

Site A
Main Network: 192.168.1.0/24
Tunnel Address: 10.0.10.1/24

Site B
Main Network: 192.168.4.0/24
Tunnel Address: 10.0.10.4/24

Site A Endpoint
Name: Site B
Allowed IPs: 10.0.10.4/32, 192.168.4.0/24 --> these are Site B's IPs

Site B Endpoint
Name: Site A
Allowed IPs: 10.0.10.1/32, 192.168.1.0/24 --> these are Site A's IPs
Endpoint Address + Port: [Site A's External IP Address] + [Port]

I also have created a WireGuard Interface at each site that is bound to the wg0 device.

Firewall

At each site, I have an allow all on the WireGuard interface, to provide WG Net with access to the whole network.

I also have a firewall rule on WAN to allow the WireGuard port (51820) at both sites.

Current Status

The VPN is connected, and both sites can ping each other + access various services that are hosted on servers on the other site. For example, Site A, can connect to servers at Site B + Site B can connect to servers at Site A.

Here's where the strange behaviour starts. For one particular IP address that I tested (located at Site A): 192.168.1.220, Site B can access a service at port 9000, but not different services using other ports. There's a different service at port 7878 and 7879... but it is not able to reach those via web browser (or curl). I have tried running those same services (7878 and 7879) on different ports, but it still doesn't work.

To do this testing at Site B, I am using a regular computer on the LAN (it's IP is 192.168.4.157). For clarity, when navigating from this computer:

192.168.1.220:9000 --> works
192.168.1.220:7878 --> doesn't work
192.168.1.220:7879 --> doesn't work

The thing is, when accessing those services via curl on the actual router itself (Opnsense CLI using curl) at Site B, all services load (even the 7878 and 7879 services).

One last thing to note, is that prior to creating a WireGuard interface at Site B, the firewall was blocking the 7878 and 7879 services (for some reason - "Default deny rule"), but the 9000 service always worked. After creating the WireGuard interface at Site B, the firewall allows the traffic (in all cases), but nothing gets through for 7879 and 7979 (on the test PC, but still works on the router itself). I don't see any blocked messages in Live View.

Any assistance would be greatly appreciated.