OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of DrZoidberg »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - DrZoidberg

Pages: [1]
1
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 27, 2023, 09:20:10 pm »
Quote from: Maurice on August 05, 2023, 03:31:09 pm
In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]

This setup considering the comment you made keeping the same interface address did it. Thank you!

2
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 07:34:41 pm »
Thank you so much! AVM is sometimes really handy, but also pretty weird. I will let you know once I have access to the router. Problem is also that every change needs to be confirmed with a physical feedback from the user.

One side question if I may ask: Why isnt it possible to overrule the firewall an let traffic from 10.0.0.5 in? It may be not secure or advisable etc. but why is there no way to force allow it?

3
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 03:20:16 pm »
Now I understand what they mean. Thanks a lot!

I dont have access to the Fritzbox right now, but will try asap.

4
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 03:03:37 pm »
Quote from: Bob.Dig on August 05, 2023, 02:59:50 pm
Quote from: DrZoidberg on August 05, 2023, 02:52:17 pm
(192.168.178.x is what I called for simplicity 192.168.1.x):
Bad idea to begin with...

What exactly do you mean?

5
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 03:02:53 pm »
Quote from: Maurice on August 05, 2023, 02:56:17 pm
Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/

It seems unlikely that they perform NAT for S2S, if correctly set up.

Unfortunately, it seems to do it and AVM thinks that this is right:

https://www.fritzbox-info.com/forum/viewthread.php?thread_id=405

6
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 02:52:17 pm »
With Outbound NAT it looks like this (192.168.178.x is what I called for simplicity 192.168.1.x):

Why is traffic 10.0.0.5 to 10.0.0.1 blocked? I really don't get it with the rules I have shown that all traffic on the wg interface is allowed in...

7
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 02:34:52 pm »
You are right, I just checked it, the router at Site B has NAT always activated and it is not possible to change this.

Now my question: what are the options?

1.) If I use outbound NAT at the OPNSense they should communicate only in the 10.0.0.0/24 space? e.g. 10.0.0.1 as OPNSense to 10.0.0.5 as Fritzbox. What I see there is: 192.168.1.111 wants to reach 192.168.2.222, then NAT hits and translates it to 10.0.0.1 to 10.0.0.5, but 10.0.0.5 calls back still to 192.168.1.111 - But why? Is there a way to change it?

2.) Any other reasonable option?

8
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 01:23:05 pm »
The snapshot with two rules is floating rules. I actually tried it just because I have no idea how to proceed. Usually, the one rule from the wg device letting all traffic should be sufficient according to all tutorials. And yes, there is a dedicated wg device assigned.

The firewall log is from the OPNSense side which also runs the WG server. The client side is a router (Fritzbox) with a wg client.

On the router side (Site B) there is no specific options for nat, but I would as it is a router it would do it like it should.

On the OPNSense side I tried with and without outbound nat, but it doesnt really change anything. Still the incoming traffic on 10.0.0.0/24 is blocked.

9
Virtual private networks / Re: Wireguard Site2Site not working
« on: August 05, 2023, 11:15:53 am »
Here you find the rules for the wg interface and floating rules. I tried one or the other are both at the same time. No luck.

The strange part is that traffic from Site B is coming in, but only if is originated there or if it is ICMP.

10
Virtual private networks / [SOLVED] Wireguard Site2Site not working
« on: August 04, 2023, 11:33:00 pm »
Hi there,

I want to connect two home networks via Wireguard with the setup like so:

Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
WG-Tunnel: 10.0.0.0/24

The Wireguard connection itself is working. I can reach the full network of Site A from Site B, I can ping/traceroute from Site A to Site B.

However, I cannot reach any service within Site B from Site A.

If I observe the live firewall log I see the following:

192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.

The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.

Do you have any clues where I can start looking for a solution?

Thank you so much!


Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2