Messages

So after all that, I have it figured out, it was nothing to do with wireguard on OPNsense. I set it up on my phone and connected without issue and was aboe to pull up the OPNsense UI, TrueNAS UI on 192.168.3.0/24 network. This lead me to the 2 servers in Hetzner. I recalled an issue I had with LetsEncrypt a while back, where their firewall doesn't tag outbound traffic so if a response comes back it knows what to do with it. Long story short, I opened the peer ports on their web ui firewall and the handshake completed and everything works.

Thanks everyone for the verification of my config and tips etc. I still want to look at the xml for that legacy config next tough just to get things tidied up.

BTW, I notice that your interface on OPNsense is wg1. Does that mean you have another WG interface for something else (wg0)? Could that be causing routing conflicts?

So I had a wg0 and deleted everything to start fresh and it starts at wg1 now everytime even tough wg0 is not listed anywhere within OPNsense.

I guess the next logical step so for me is to setup a 3rd peer (iPhone) and connect and see if the tests work if so at least then I know its some routing/iptables issue on the ubuntu peers. Will update in about 90 minutes once home and can test it.

Change the interface address on both peers to the actual subnet. ie /24.
A /32 will not let you browse anything.

This is also wrong. A /24 is only strictly needed on the peers if they are also routing traffic to other peers on the VPN network, ie acting as a hub like OPNsense is meant to in this case. They are not. Though changing it to /24 won't break anything in this case.

Change the interface address on both peers to the actual subnet. ie /24.
A /32 will not let you browse anything.

This is also wrong. A /24 is only strictly needed on the peers if they are also routing traffic to other peers on the VPN network, ie acting as a hub like OPNsense is meant to in this case. They are not. Though changing it to /24 won't break anything in this case.

This is what I thought. Am I correct that I should use the /32 in the interfaces on the peer and just have the same /32 address listed in the allowed IPs on the OPNsense endpoints tab while having the networks behind OPNsense listed as the AllowedIPs in the peers config?

Client port, that is the default (random) that wireguard uses unless one is explicitly set. Just to test I now have ListeningAddress in the interface section of the peers config - no change.

I changed the interface address to be in the /24 subnet (10.10.42.2/24 and 10.10.42.3/24), no change. I thought the idea with the interface address being /32 is because it would be a single IP while the peer section contains the AllowedIPs which are essentially the routes available after connection.

Anyway both changes made, still the same, no ping from OPNsense across the tunnel to the peers and vice versa, No ping to other networks from peers, no ping from peer to peer.

Yes, tried adding it, following you're comment, I have now added 10.10.42.0/24 to the AllowedIps in each peers config file. I have changed peer1 from 10.10.42.1 to 10.10.42.2 and changed peer2 from 10.10.42.2 to 10.10.42.3. I have changed the local tunnel address to 10.10.42.1/24.

Still the same results.

[can't]

Hey all hope one of you has some pointers for me or might spot a very obvious mistake I have made. I have setup both OpenVPN and IPSec tunnels etc before using pfSense and OPNsense and have never come across issues like this before. Well I have but nothing a firewall rule didn't fix.

I followed the road warrior guide including step 5 (creating the interface etc). My setup is an OPNsense box at home and 2 remote servers I wish to connect as peers to it. I setup everything according to the guide, the OPNsense box has the following networks on it:

Code Select Expand

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24

OPNsense is available on each CIDR above at .254. I want to be able to access the 2 peers from 192.168.1.0/24 and 192.168.3.0/24 and vice versa. I have setup the tunnel to use 10.10.42.254/24 as its CIDR. In OPNsense endpoints I have added both peers with the folllowing Allowed IPs:

Code Select Expand

Peer1: 10.10.42.1/32
Peer2: 10.10.42.2/32

In the Status tab I can see:

Code Select Expand

interface: wg1
  public key: [REMOVED]
  private key: (hidden)
  listening port: 51820

peer: [REMOVED]
  endpoint: X.X.X.X:58853
  allowed ips: 10.10.42.1/32
  transfer: 21.68 KiB received, 15.50 KiB sent
  persistent keepalive: every 30 seconds

peer: [REMOVED]
  endpoint: 46.4.23.90:39594
  allowed ips: 10.10.42.2/32
  transfer: 21.68 KiB received, 15.21 KiB sent
  persistent keepalive: every 30 seconds

I can also see the handshakes on the Handshakes tab in OPNsense. As for firewall rules, as per the guide I created one on the WG interface with source set to WG net and everything else as wildcard. My 192.168.1.0/24 and 192.168.3.0/24 also have a wildcard rule with their respective net addresses as the source. I have also tested with a fully wildcard rules in all interfaces. I have the wireguard port forwarded to my WAN as per the guide also.

Now for the peers (Both Ubuntu 22.04), they have the following config:

Peer1:

Code Select Expand

[Interface]
PrivateKey = [REMOVED]
Address = 10.10.42.1/32

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 192.168.1.0/24, 192.168.3.0/24
Endpoint = [REMOVED]:51820
PersistentKeepalive = 30

Peer2:

Code Select Expand

[Interface]
PrivateKey = [REMOVED]
Address = 10.10.42.2/32

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 192.168.1.0/24, 192.168.3.0/24
Endpoint = [REMOVED]:51820
PersistentKeepalive = 30

The result of route on both peers is:

Code Select Expand

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         static.193.63.6 0.0.0.0         UG    0      0        0 enp35s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0

What I can and can't do:
From the OPNsense box itself I can't ping either peer using their tunnel IP.
From machines on 192.168.1.0/24 and 192.168.3.0/24 I can ping the OPNsense tunnel IP (10.10.42.254).
From machines on 192.168.1.0/24 and 192.168.3.0/24 I can't ping either peer using their tunnel IP.
From the peers I can't ping the OPNsense box tunnel IP.
From the peers I can't ping the other peer.
From the peers I can't ping anything on 192.168.1.0/24 or 192.168.3.0/24.

Any tips or pointers, sorry about the long message but wanted to give as much information as possible.