Messages

once the tunnel is established (with keep-alive) its up and running. no further initiation necessary.

do a package capture on the data center side to see if UDP is arriving at your wireguard client (OPNsense?)

You can see the UDP packets arriving at the data center opensense (1.jpg attachment in the first message).

Yes, that's true, but you have to keep sending packets through the tunnel otherwise it closes, and you have to restart a handshake:
wg1: Zeroing out keys for peer 21, since we haven't received a new one in 540 seconds

Here is the return from the socksat command to show that the port is open:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS     
? ? ? udp4 *:51820 *:*

I want to initiate the tunnel from both sides because the tunnel is not open all the time and sometimes the LAN behind my home opnsense needs to open the tunnel to access the LAN behind the data center opnsense and vice versa.

Yes, port 51820 in UDP is open on both sides.

Hello,

I have set up a site-to-site tunnel following this procedure:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

It's impossible to open the connection from my first opnsense (which is at home) to the second (which is in a datacenter rack) but if the second opnsense initializes the handshake, then the tunnel is established.

Both opnsenses use port 51820 in UDP and there is no NAT between the two.

To clarify, in the first photo you can see the result when my opnsense initializes the connection.

On the second photo, when the opnsense in the datacenter initializes the connection.