"
FYI, I updated the diagram to reflect the isp router infront of each opnsense instance.
the dynamic ip peers have the a 25s keepalive back to the static server
> - I'm not able to ping the remote wg ip nor the remote fw "inside" ip
static ip opnsense
opnsense .10.1
opnsense .50.1
It's strange that the static ip opnsense has the wireguard routes, but the dynamic ip opnsense don't have it automatically added. I thought I missed an "apply" so I restarted and did see this in the dynamic ip wireguard logs.
So looks like the routes back to the VPS are missing. Should they be added similar to the policy based routing approach? Or as static routes?
Quote from: nicqq on September 18, 2025, 11:42:25 PM>whats your wireguard keepalive timer for both (VPS and warriors)?the static ip doesn't have a keep-alive set for the clients (per docs IIRC)
the dynamic ip peers have the a 25s keepalive back to the static server
Quote from: nicqq on September 18, 2025, 11:42:25 PM> what if VPS goes down?it's not work/critical so I'm taking a weekly snapshot of the VPS and using zfs snapshots in opnsense to help speed up disaster recovery. If needed, I can manually send any pdfs while the VPS is down
> - I'm not able to ping the remote wg ip nor the remote fw "inside" ip
Quote from: nicqq on September 18, 2025, 11:42:25 PMups.. regarding your issue.. what's the routing table of peers?for completeness sharing all (with some data dropped re physical interfaces)
static ip opnsense
Code Select
Destination Gateway Flags Nhop# Mtu Netif Expire
10.0.100.0/24 link#7 U 9 1420 wg0
10.0.100.1 link#3 UHS 10 16384 lo0
10.0.100.10 link#7 UHS 11 1420 wg0
10.0.100.50 link#7 UHS 11 1420 wg0
192.168.100.0/24 link#2 U 1 1500 vnet0
192.168.100.3 link#3 UHS 3 16384 lo0
192.168.10.0/24 link#7 US 12 1420 wg0
192.168.50.0/24 link#7 US 12 1420 wg0
opnsense .10.1
Code Select
Destination Gateway Flags Nhop# Mtu Netif Expire
default 192.168.20.1 UGS 7 1500 vtnet0
10.0.100.0/24 link#7 U 8 1420 wg0
10.0.100.100 link#7 UHS 10 1420 wg0
10.0.100.10 link#3 UHS 9 16384 lo0
127.0.0.1 link#3 UH 2 16384 lo0
192.168.10.0/24 link#2 U 4 1500 vtnet1
192.168.10.1 link#3 UHS 5 16384 lo0
opnsense .50.1
Code Select
default 192.168.1.1 UGS 6 1500 igc1
10.0.100.0/24 link#7 U 7 1420 wg0
10.0.100.50 link#3 UHS 8 16384 lo0
127.0.0.1 link#3 UH 2 16384 lo0
192.168.50.0/24 link#1 U 1 1500 igc0
192.168.50.1 link#3 UHS 3 16384 lo0
It's strange that the static ip opnsense has the wireguard routes, but the dynamic ip opnsense don't have it automatically added. I thought I missed an "apply" so I restarted and did see this in the dynamic ip wireguard logs.
Code Select
.50.1 - "/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '10.0.100.50/32' -interface 'wg0'' returned exit code '1', the output was ''"
.10.1 - "/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '10.0.100.10/32' -interface 'wg0'' returned exit code '1', the output was ''"
The error is not in the static ip opnsense wireguard logs.So looks like the routes back to the VPS are missing. Should they be added similar to the policy based routing approach? Or as static routes?
