Messages

After further investigation, my case seems more focused on one device than with wireguard - I tested on another device and it works well. So no relation with your case - sorry for the noise

Do you have something in your wireguard logs on opnsense side ?

Since upgrade to 24.1.10, I can no longer connect to wireguard - fortunatelay, I have a zerotier vpn as an alternative

Code Select Expand


2024-07-11T21:37:52 Notice wireguard wireguard instance CabinetRoadWg (wg0) started
2024-07-11T21:37:52 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt2'
2024-07-11T21:37:51 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '192.168.7.0/24' -interface 'wg0'' returned exit code '1', the output was ''
2024-07-11T21:37:51 Notice wireguard wireguard instance CabinetRoadWg (wg0) can not reconfigure without stopping it first.


Do you also have it ?

Could get rid of it by:

Code Select Expand


pkg update -f
pkg upgrade
# will list some php8 packages which were not yet upgraded
# and opnsense-base package was also upgraded at this time
reboot
# done


Same here but it seems it prevents my opensense to start after the reboot - Seems I'm half 22.7 with still some 22.1 files  :(

Thanks dmmincrjr !

The related post and a more detailed answer about what to do exactly:

https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768

Same here, my site to site interface (wg1) disappeared on my wife's office router post 21.7 to 22.1 upgrade :-/

Fortunately, I still have the RoadWarrior configuration so I don't lose access but it's less convenient.

On my office side, wg1 interface is up and running. So I don't get why it worked on 1 router and not the other one as it should be also exactly the same hardware.

Awesome Greelan, exactly what I needed !

It works like a charm  8)

I removed the useless rules:
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)

Thanks a lot !!

Hello,

I could set up a RoadWarrior connection and it works well. Trying now to setup a site to site connection. Connection works between endpoints but traffic is not allowed.

I followed this tutorials:
* https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
* https://www.procustodibus.com/blog/2020/12/wireguard-site-to-site-config/

In both cases, network is :

Internet <-> Modem <-> OpnSense <-> LAN/WLAN

Site A
- Modem : 192.168.1.10
- OpnSense : 10.250.0.1
- LAN : 10.250.0.1/24
- WLAN: 10.251.0.1.24
- WG0: 10.252.0.1/24 (RoadWarrior)
- WG1: 10.253.0.1/24 (site to site)

Site B :
- Modem : 192.168.1.1
- OpnSense : 192.168.7.1
- LAN : 192.168.7.1/24
- WLAN : 192.168.9.1/24
- WG0: 192.168.11.1/24 (RoadWarrior)
- WG1: 10.253.0.2/24 (site to site)

For WG configuration more precisely

On Site A

Local :
- Name AtoB
- Port 51821
- Tunnel: 10.253.0.1/24
- Peers: SiteB

Endpoint:
- Name: SiteB
- AllowedIP: 10.253.0.2/32  192.168.7.1/24 192.168.9.1/24
- endpoint: IP.OF.SITE.B
- port: 51821


On Site B

Local :
- Name BtoA
- Port 51821
- Tunnel: 10.253.0.2/24
- Peers: SiteA

Endpoint:
- Name: SiteA
- AllowedIP: 10.253.0.2/32 10.250.0.1/24 10.251.0.1/24 
- endpoint: IP.OF.SITE.1
- port: 51821

On both opnsense:
- I set WG1 as an interface so I have the automatic rules for Firewall > NAT > Outbound
- Firewall > WAN > set rule to accept connection on port 51821/UDP => this works as I see they are connected in VPN > Wireguard > List Configurations
- Firewall > WG1 > Accept all trafic on WG1 interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)

On firewall log, on site B, when from site A I ping or nmap a host on site B:
- it passes on Site A to site B (firewall log from opnsense on site A)
- it's denied on WG1 in site B (firewall log from opnsense on site A) - with label "Default deny rule"

So what's the next rule ot add ? It must be a LAN to WG1 kind of rule but don't know how to implement it  :(

Hope I provided enought details and if I can improve the docs once solved, I'll be happy to contribute to it.