Messages

Update after further testing:

I ran a packet capture on Site A (OPNsense), LAN interface, while pinging 192.168.20.250 from a client (192.168.10.80) on the LAN.
Here's a sample from the capture:

Code Select Expand

192.168.10.80 > 192.168.20.250: ICMP echo request 
192.168.20.250 > 192.168.10.80: ICMP echo reply
This confirms that:

✅ The ICMP request is leaving the client and reaching the remote site
✅ The ICMP reply is coming back through the WireGuard tunnel and reaching OPNsense Site A

Then, I ran a tcpdump directly on the Linux client at 192.168.10.80, and here's the interesting part:

✅ I can see the ICMP echo requests going out

❌But I do not see the ICMP echo replies arriving

➤ Conclusion:
The echo reply reaches OPNsense but never makes it to the LAN client.

🔍 My other checks:

• I verified that the LAN rule on Site A does not define a gateway (it's set to default — unchecked)
• I reviewed the LAN firewall rules on Site A to ensure they allow traffic from 192.168.20.0/24 to LAN net
• I also double-checked Outbound NAT to make sure no NAT is interfering with inter-site LAN traffic
• And I'll make sure the client firewall (iptables or ufw) isn't dropping the reply silently

Let me know if there's anything else you recommend I check at this point — I feel like I'm close! 😅

Thanks again to everyone helping out

Thanks,

No explicit gateway on allow rule. I'll try to debug with a packet capture. I'll be back ;)

Looks good. "Disable routes" is not checked?

Thanks, I just checked, it's unchecked on both sides.

What are the "AllowedIPs" for the respective peer on each side?

On site A : 10.2.2.2/32 and 192.168.20.0/24
On site B : 10.2.2.1/32 and 192.168.10.0/24

[Problem:]

Hello everyone,

I'm setting up a site-to-site VPN between two sites using WireGuard on OPNsense.

Here is a diagram of my setup:

Code Select Expand

                   VPN Site-to-Site (WireGuard)
                   ============================

                        Internet
                            |
                            |
                    ------------------
                    |                |
              [WAN IP]         [WAN IP]
          198.51.100.1       203.0.113.1
            (Site A)            (Site B)
                    |                |
            -----------------  -----------------
            |  OPNsense A   |  | OPNsense B       |
            |---------------|  |------------------|
            | LAN IP:       |  | LAN IP:          |
            | 192.168.10.253|  | 192.168.20.253   |
            | WG IP:        |  | WG IP:           |
            | 10.2.2.1      |  | 10.2.2.2         |
            -----------------  ------------------
                    |                |
        ------------------  ------------------
        | LAN Site A       |  | LAN Site B        |
        | 192.168.10.0/24  |  | 192.168.20.0/24   |
        ------------------  ------------------

Problem:

From OPNsense A, I can successfully ping LAN devices on Site B.

From OPNsense B, I can successfully ping LAN devices on Site A.

But from LAN Site A, I cannot reach devices on LAN Site B, and vice-versa.

Notes:

The WireGuard interfaces are properly assigned and enabled on both sides.

The firewalls have "allow all" rules on LAN and WireGuard interfaces for testing.

Each LAN device uses the local OPNsense router as its gateway (192.168.10.253 and 192.168.20.253).

The OPNsense VMs are hosted on XCP-ng servers at both sites.

Question:

What could be preventing direct LAN-to-LAN communication if the OPNsense boxes themselves can already talk across the tunnel?

Thanks in advance for your help!