Messages

In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]

This setup considering the comment you made keeping the same interface address did it. Thank you!

Thank you so much! AVM is sometimes really handy, but also pretty weird. I will let you know once I have access to the router. Problem is also that every change needs to be confirmed with a physical feedback from the user.

One side question if I may ask: Why isnt it possible to overrule the firewall an let traffic from 10.0.0.5 in? It may be not secure or advisable etc. but why is there no way to force allow it?

Now I understand what they mean. Thanks a lot!

I dont have access to the Fritzbox right now, but will try asap.

(192.168.178.x is what I called for simplicity 192.168.1.x):

Bad idea to begin with...

What exactly do you mean?

Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/

It seems unlikely that they perform NAT for S2S, if correctly set up.

Unfortunately, it seems to do it and AVM thinks that this is right:

https://www.fritzbox-info.com/forum/viewthread.php?thread_id=405

With Outbound NAT it looks like this (192.168.178.x is what I called for simplicity 192.168.1.x):

Why is traffic 10.0.0.5 to 10.0.0.1 blocked? I really don't get it with the rules I have shown that all traffic on the wg interface is allowed in...

You are right, I just checked it, the router at Site B has NAT always activated and it is not possible to change this.

Now my question: what are the options?

1.) If I use outbound NAT at the OPNSense they should communicate only in the 10.0.0.0/24 space? e.g. 10.0.0.1 as OPNSense to 10.0.0.5 as Fritzbox. What I see there is: 192.168.1.111 wants to reach 192.168.2.222, then NAT hits and translates it to 10.0.0.1 to 10.0.0.5, but 10.0.0.5 calls back still to 192.168.1.111 - But why? Is there a way to change it?

2.) Any other reasonable option?

The snapshot with two rules is floating rules. I actually tried it just because I have no idea how to proceed. Usually, the one rule from the wg device letting all traffic should be sufficient according to all tutorials. And yes, there is a dedicated wg device assigned.

The firewall log is from the OPNSense side which also runs the WG server. The client side is a router (Fritzbox) with a wg client.

On the router side (Site B) there is no specific options for nat, but I would as it is a router it would do it like it should.

On the OPNSense side I tried with and without outbound nat, but it doesnt really change anything. Still the incoming traffic on 10.0.0.0/24 is blocked.

Here you find the rules for the wg interface and floating rules. I tried one or the other are both at the same time. No luck.

The strange part is that traffic from Site B is coming in, but only if is originated there or if it is ICMP.

Hi there,

I want to connect two home networks via Wireguard with the setup like so:

Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
WG-Tunnel: 10.0.0.0/24

The Wireguard connection itself is working. I can reach the full network of Site A from Site B, I can ping/traceroute from Site A to Site B.

However, I cannot reach any service within Site B from Site A.

If I observe the live firewall log I see the following:

192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.

The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.

Do you have any clues where I can start looking for a solution?

Thank you so much!