Messages

I have to apologize to anyone who read this and/or spent time on it!

The problem was an IPsec tunnel that was still running.

A quick explanation. Site 1 has been running OPNsense for over 8 months. The firewall on site 2 was replaced with OPNsense a few days ago. The site to site VPN on the old firewall was IPsec. I forgot to turn off IPsec on the OPNsense firewall on site 1. Now everything works perfectly.

Again, my apologies for this post.

I have on both locations:
- A firewall rule (direction in) on the LAN interface that allows traffic from the local LAN net to the remote LAN net.
- A firewall rule (direction in) on the wireguard group interface that allows traffic from the remote LAN net to the local LAN net.

As advised in this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Thanks for your reply!

Allowed IPs on Site 1: 192.168.2.0/23 10.0.6.2/32
Allowed IPs on Site 2: 192.168.12.0/22 10.0.6.1/32

Code Select Expand

Ping from Site 1 while monitoring wireguard interface on Site 2
First ping: from LAN addr on site 1 to LAN addr on site 2 (nothing coming through)
Second ping: from LAN addr on site 1 to tunnel endpoint on site 2
Site 1 LAN: 192.168.12.0/22
Site 1 Tunnel endpoint: 10.0.6.1/24

12:39:53.206777 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 1, length 64
12:39:54.186279 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 2, length 64
12:39:55.207374 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 3, length 64
12:39:56.232088 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 4, length 64


Ping from Site 2 while monitoring wireguard interface on Site 1
First ping: from LAN addr on site 2 to LAN addr on site 1
Second ping: from LAN addr on site 2 to tunnel endpoint on site 1
Site 2 LAN: 192.168.2.0/23
Site 2 Tunnel endpoint: 10.0.6.2/24

root@OPNsense:~ # tcpdump -i wg0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
12:05:34.021200 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5097, length 40
12:05:38.845414 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5098, length 40
12:05:43.838024 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5100, length 40
12:05:48.840141 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5101, length 40
12:06:13.801336 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5103, length 40
12:06:18.337397 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5105, length 40
12:06:23.330453 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5106, length 40
12:06:28.337835 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5107, length 40


Some more info.

Code Select Expand

Site 1
LAN: 192.168.12.0/22
Tunnel endpoint: 10.0.6.1/24
output of netstat -rn (related part):
Internet:
Destination        Gateway            Flags         Netif Expire
10.0.6.0/24        link#10            U               wg0
10.0.6.1           link#5             UHS             lo0
10.0.6.2           link#10            UHS             wg0
192.168.2.0/23     link#10            US              wg0
192.168.12.0/22    link#2             U              igc1

Site 2
LAN: 192.168.2.0/23
Tunnel endpoint: 10.0.6.2/24
output of netstat -rn (related part):
Internet:
Destination        Gateway            Flags         Netif Expire
default            94.110.192.1       UGS            igb1
10.0.6.0/24        link#7             U               wg0
10.0.6.1           link#7             UHS             wg0
10.0.6.2           link#3             UHS             lo0
192.168.2.0/23     link#1             U              igb0
192.168.12.0/22    link#7             US              wg0


I am trying to set up a site 2 site VPN between 2 locations. The idea is that the LAN of site 1 can be reached via the LAN of site 2 and vice versa. The OPNsense on site 1 is version 25.1 and 25.1.1 on site 2. Both firewalls have direct internet access without NAT. I followed this guide exeactly: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

I get absolutely nothing routed through the tunnel. I can't ping from one firewall to the other. When I ping from Site 1 to Site 2, I see the traffic coming from the tunnel with tcpdump in the shell on the firewall of site 2, so the VPN tunnel is working.

root@OPNsense:~ # tcpdump -n -i wg0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
01:21:48.611192 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 0, length 64
01:21:49.616304 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 1, length 64
01:21:50.616633 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 2, length 64

I have no idea what is going on.

I am trying to set up a site 2 site VPN between 2 locations. The idea is that the LAN of site 1 can be reached via the LAN of site 2 and vice versa. The OPNsense on site 1 is version 25.1 and 25.1.1 on site 2. Both firewalls have direct internet access without NAT. I followed this guide exeactly:

I get absolutely nothing routed through the tunnel. I can't ping from one firewall to the other. When I ping from Site 1 to Site 2, I see with tcpdump in the shell on the firewall of site 2 the traffic coming from the tunnel so the VPN tunnel is working.

I have no idea what is going on. I use Linux but have little BSD experience.

Thanks in advance for reading this. Any help is greatly appreciated.

Regards,
Patrick