"
Hi Jokerface, your post does not specify which kind of setup you are trying to achive, but it kinda sounds we're stuck at the same point? Please have a look at my post - maybe we're two: https://forum.opnsense.org/index.php?topic=38697.0
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: Wireguard - No Handshake, No Incomming Traffic, No Client Errors
February 08, 2024, 09:18:42 PM #2
Virtual private networks / Wireguard S2S between two opns24.1.1 not getting up - out of ideas
February 08, 2024, 05:50:13 PM
Hi! I'm new here and to opnsense, but an experienced net-admin. Can't get S2S Wireguard between two opnsense 24.1.1 getting UP for two days now..
Connecting against the instances of both opnsenses even works if I "recreate" each of the peer configs on an independent client machine. It just seems that none of the opnsenses is trying to initiate a connection to the other:
Using tcpdump I can see no traffic to the respective tunnel endpoints on both opnsenses. Not even the local opnsense trying to connect to the remote one. As if they both just do nothing.
If I connect using an independent client, I can see the UDP traffic to the public-ip:endpoint-port as expected.
Both opnsense can reach each other fine using their WAN addresses. I can e.g. login via SSH from one opnsense to the other. For troubleshooting purposes, I just allowed all IPv4 traffic between the two bidirectional. I verified the interface configs with ifconfig.
My setup corresponds to the guides setup 1:1 - no NAT or anything. The WAN interfaces of both opnsenses are even in the same /24 public network. WAN connectivity between both is verified as described above.
Debug logs on both opnsenses (after clearing log & re-enabling Wireguard) only show these 3 entries:
Has anybody seen this behaviour (no WG traffic between two opnsense endpoints)? Any thoughts on this?
I'm happy to post configuration or command outputs, but currently the configuration just copies the guide with different but analogous network- and node-addresses.. Six eyes checked the addresses & as mentioned above, the configurations work as expected If I copy'n'paste them into e.g. the Windows Wireguard client.
I don't want to setup routed IPSEC here, it's 2024 for God's sake! ;)
Thanks in advance for your help!
Connecting against the instances of both opnsenses even works if I "recreate" each of the peer configs on an independent client machine. It just seems that none of the opnsenses is trying to initiate a connection to the other:
Using tcpdump I can see no traffic to the respective tunnel endpoints on both opnsenses. Not even the local opnsense trying to connect to the remote one. As if they both just do nothing.
If I connect using an independent client, I can see the UDP traffic to the public-ip:endpoint-port as expected.
Both opnsense can reach each other fine using their WAN addresses. I can e.g. login via SSH from one opnsense to the other. For troubleshooting purposes, I just allowed all IPv4 traffic between the two bidirectional. I verified the interface configs with ifconfig.
My setup corresponds to the guides setup 1:1 - no NAT or anything. The WAN interfaces of both opnsenses are even in the same /24 public network. WAN connectivity between both is verified as described above.
Debug logs on both opnsenses (after clearing log & re-enabling Wireguard) only show these 3 entries:
Code Select
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) started
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) stopped
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) can not reconfigure without stopping it first.- followed the official guide for WireGuard Site-to-Site Setup carefully, peer reviewed
- tried with and without including the LAN nets into "allowed IPs"
- always included the transfer net IPs as /32 into "allowed IPs"
- tried with and without assigning and enabling the wg interfaces, altough it's not required as per the guide
- desperately rebooted after setting up the intstance- and peer-configs
Has anybody seen this behaviour (no WG traffic between two opnsense endpoints)? Any thoughts on this?
I'm happy to post configuration or command outputs, but currently the configuration just copies the guide with different but analogous network- and node-addresses.. Six eyes checked the addresses & as mentioned above, the configurations work as expected If I copy'n'paste them into e.g. the Windows Wireguard client.
I don't want to setup routed IPSEC here, it's 2024 for God's sake! ;)
Thanks in advance for your help!
Pages1
