Messages

Unfortunately, after a reboot a few days ago, it does no work, anymore. I hadn't changed anything. I have checked almost any setting several times an have no idea what is wrong.

A road warrior can access the remote LAN but site to site does not work. Traffic obviously does not reach the remote OPNsense. When I tracert, it goes from the Fritzbox router to the local OPNsense, back to the router and back to the OPNsense and so forth. On Fritzbox I have set the route 192.168.133.0 255.255.255.0 192.168.132.33 (where 192.168.133.0 is my remote LAN and 102.168.132.33 is my local OPNsense). Can we confirm that this route on Fritzbox is correct and the only one needed there?

I am the most stupid anything on earth. If was indeed a misconfiguration of the wireguard peer. That comes, when you don't fully understand things.

I had 0.0.0.0/0 in the allowed IPs of the peer. I wasn't aware of the fact that this would send traffic which does not come from the other end of the tunnel to the wg interface, anyway, or so.

Packet capturing gave me the hint as a ping gave me wg interface entries.

After I removed this, it works, at least.

Thank you for your help.

That's what I just mentioned. The third last rule is unnecessary, yes.
Thank you for your consinderations about the second WAN rule. I will disable it.

I cannot ping 8.8.8.8. It's not (only) a DNS issue.

As you can rule out the other two options, I would conclude that is must have something to do with the VPN configuration. I'm just wondering why. Do LAN clients use the tunnel when trying to access 8.8.8. for example? That's not a defined allow IP in the Wireguard configuration. Could it be that I have to limit the wireguard firewall rules explicitely in some way?

I will have a look at your linked thread, otherweise, as soon as I find the time (maybe at the weekend). But it's just so many potential issues that I have got a bit lost.

192.168.133.0/24 is my LAN subnet, yes. In my (probably wrong) understanding, traffic from e.g. 192.168.133.2, which tries to connect to the internet, goes to the LAN interface of its gateway (OPNsense). As it wants to reach an external address, OPNsense should pass it to its own WAN interface and then to the internet. So the firewall has to allow it to do so. 

The LAN firewall rules (if I am not wrong) allow this. What I might habe forgotten at this point is to allow
source LAN network to destination any at the WAN firewall rules. Or isn't that necessary? That's one direction

Is that correct so far?

Thanks again.

OPT1 is the wireguard interface which shouldn't matter in this situation?
The outbound rules have been created automatically.

Which distinction are you referring to?

Do I need to create a rule Allow IPv4 * * 192.168.133.0/24 on the WAN interface or really create an entry under port forwarding? How would that look like? I don't really get it at the moment. Maybe, you could provide an example.
I am pretty sure I didn't do port forwarding on the other machine (at least not manually).

So, the NAT outbound settings are the ones in NAT.png. WAN interface firewall settings are in WAN.png and LAN firewall settings in LAN.png.
192.168.133.0/24 is the LAN I am talking about. Probaly is rule is unnecessary as I have the default allow all rule.

It's all in German. If I need to translate it, let me know.

I currently don't have the time to get into this any further. I'll do it any time the next days. However, maybe one can get something out of the rules.

Actually not via this machine. I have another machine running OpenVPN and as long as this was the gateway, they could access. I just wanted to setup a new machine as I couldn't really get wireguard to work parallely to OpenVPN on this other machine and I might have messed things up there.

This machine I am talking about is just newly setup and I didn't test if the LAN had access to the internet.
I will post the settings for the firewalls and the outbound NAT later the day.

Only the initial LAN interfaces gets an "allow any" rule assigned. The rest you have to define yourself - in this case, a rule to allow the WIREGUARD group internet ("any") access.

Thank you.
I am talking about clients at the same site, in the same LAN where the respective OPNsense Gateway is, which do not use the VPN. Why would I need to allow the Wireguard group something dere? I only mentioned the VPN thing to show that internet connection is possible in general. If I misunderstand something, I'd be happy if you could explain it.

In my understanding traffic comes to the LAN interface of the firewall and has to get to the WAN interface and then out of the firewall - and the other way around. Thats's where I am stuck.

Hello,

I just setup a wireguard site-to-site connection which in general now seems to work fine. So there is a way opnsense at site A has internet access and LAN devices can also reach the other site B through the tunnel.

Unfortunately, the LAN devices at site A, which shall access the internet through opnsense at site A, seem to have no internet access besides of that. I cannot reach the web and cannot ping e.g. external IPs like 8.8.8.8. Do it's obviously not only a DNS issue. Computers at site A have OPNsense site A as default gateway.

Maybe I have mistaken or forgotten something about an interface or firewall rules (although I followed the guide). LAN interface das the default allow any rule.
Or could it be something about (outbound) NAT? I'm not familiar with this and how traffic is being passed between interfaces (I thought, the LAN firewall rule was enough).

Any help on where to start troubleshoothing appreciated.

Forget about. It works now. I played around a bit. The last change was removing the 0.0.0.0/0 from the peer on the server while leaving the other adresses. But I don't know if it was that what fixed it.

Hello,

I am trying to set up a site to site VPN connection via Wireguard.

Site A is a remote VLAN, where OPNsense has been installed to a VM.
Site B is my home network. There is a router (fritzbox) and behind the router there is a server, wheren OPNsense is installed.

I followed the config and searched many forums but couldn't solve me issues, so far.
I can establish a connection and a handshake is made. But I cannot access the LANs on the other site.

I have set the allowed IPs as decribed and all the firewall rules on both sites. Also have I setup a route on the home router pointing to te remote LAN, of course. Firewall shows me that traffic comes to the other end of the tunnel to the other OPNsense but it seems as if OPNsense would not know what to do with it, in both directions.

I am clueless.

By the way: OpenVPN between does two sites works fine. So this should really be something wireguard specific or something I missed at the home router.

Resolved:

Solution https://forum.netgate.com/topic/83777/openvpn-multiple-site-to-multisites-routing/19 by jdp0418.

Thank you for your reply.

The situation is as follows:

- Mobile Device (let's call this network C) connects to OPNsense on network B. Network B is connected to network A via different OpenVPN Server / Peer to Peer. I want to reach network A from network C.
- Network A has a router in between network B and network A's OPNsense.
- I have set a route on the router of network A regarding VPN-network of the access server as I did with the VPN-Network from network B of the site to site server.
- I haven't set any custom routes on network B's OPNsense.
- There does exist a route (on OPNsense network B) to networks A's LAN via the OPNsense on network A.

How can I achieve this? Set a route at System -> Routes -> Configuration? If so, I am not sure how to do this.

Hello,

I have setup two VPN servers on my opnsense (at a remote location). One is a peer-to-peer VPN where the remote network is my home LAN. This works well.

Moreover, I setup a second server for remote access. It is possible to connect to this server and reach the actual local LAN. Though, I cannot reach the home LAN through it. I entered this network into Local IPv4 network within the server settings.

What else do I have to do? Or isn't this possible?

Ich habe gerade OpenVPN Site-to-Site eingerichtet. Scheint alles super zu funktionieren. Wäre super, wenn sich das bestätigte. Die Geschwindigkeit im Download ist 2-3 Mal so schnell, im Upload ca. 2 Mal so schnell (das ist aber angesichts meiner Upload-Bandbreite nachvollziehbar).