Show Posts
1
Virtual private networks / [Solved] Wireguard Site to Site - Allow traffic between sites ?
« on: July 28, 2021, 09:56:46 am »
Hello,
I could set up a RoadWarrior connection and it works well. Trying now to setup a site to site connection. Connection works between endpoints but traffic is not allowed.
I followed this tutorials:
* https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
* https://www.procustodibus.com/blog/2020/12/wireguard-site-to-site-config/
In both cases, network is :
Internet <-> Modem <-> OpnSense <-> LAN/WLAN
Site A
- Modem : 192.168.1.10
- OpnSense : 10.250.0.1
- LAN : 10.250.0.1/24
- WLAN: 10.251.0.1.24
- WG0: 10.252.0.1/24 (RoadWarrior)
- WG1: 10.253.0.1/24 (site to site)
Site B :
- Modem : 192.168.1.1
- OpnSense : 192.168.7.1
- LAN : 192.168.7.1/24
- WLAN : 192.168.9.1/24
- WG0: 192.168.11.1/24 (RoadWarrior)
- WG1: 10.253.0.2/24 (site to site)
For WG configuration more precisely
On Site A
Local :
- Name AtoB
- Port 51821
- Tunnel: 10.253.0.1/24
- Peers: SiteB
Endpoint:
- Name: SiteB
- AllowedIP: 10.253.0.2/32 192.168.7.1/24 192.168.9.1/24
- endpoint: IP.OF.SITE.B
- port: 51821
On Site B
Local :
- Name BtoA
- Port 51821
- Tunnel: 10.253.0.2/24
- Peers: SiteA
Endpoint:
- Name: SiteA
- AllowedIP: 10.253.0.2/32 10.250.0.1/24 10.251.0.1/24
- endpoint: IP.OF.SITE.1
- port: 51821
On both opnsense:
- I set WG1 as an interface so I have the automatic rules for Firewall > NAT > Outbound
- Firewall > WAN > set rule to accept connection on port 51821/UDP => this works as I see they are connected in VPN > Wireguard > List Configurations
- Firewall > WG1 > Accept all trafic on WG1 interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)
On firewall log, on site B, when from site A I ping or nmap a host on site B:
- it passes on Site A to site B (firewall log from opnsense on site A)
- it's denied on WG1 in site B (firewall log from opnsense on site A) - with label "Default deny rule"
So what's the next rule ot add ? It must be a LAN to WG1 kind of rule but don't know how to implement it
Hope I provided enought details and if I can improve the docs once solved, I'll be happy to contribute to it.
I could set up a RoadWarrior connection and it works well. Trying now to setup a site to site connection. Connection works between endpoints but traffic is not allowed.
I followed this tutorials:
* https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
* https://www.procustodibus.com/blog/2020/12/wireguard-site-to-site-config/
In both cases, network is :
Internet <-> Modem <-> OpnSense <-> LAN/WLAN
Site A
- Modem : 192.168.1.10
- OpnSense : 10.250.0.1
- LAN : 10.250.0.1/24
- WLAN: 10.251.0.1.24
- WG0: 10.252.0.1/24 (RoadWarrior)
- WG1: 10.253.0.1/24 (site to site)
Site B :
- Modem : 192.168.1.1
- OpnSense : 192.168.7.1
- LAN : 192.168.7.1/24
- WLAN : 192.168.9.1/24
- WG0: 192.168.11.1/24 (RoadWarrior)
- WG1: 10.253.0.2/24 (site to site)
For WG configuration more precisely
On Site A
Local :
- Name AtoB
- Port 51821
- Tunnel: 10.253.0.1/24
- Peers: SiteB
Endpoint:
- Name: SiteB
- AllowedIP: 10.253.0.2/32 192.168.7.1/24 192.168.9.1/24
- endpoint: IP.OF.SITE.B
- port: 51821
On Site B
Local :
- Name BtoA
- Port 51821
- Tunnel: 10.253.0.2/24
- Peers: SiteA
Endpoint:
- Name: SiteA
- AllowedIP: 10.253.0.2/32 10.250.0.1/24 10.251.0.1/24
- endpoint: IP.OF.SITE.1
- port: 51821
On both opnsense:
- I set WG1 as an interface so I have the automatic rules for Firewall > NAT > Outbound
- Firewall > WAN > set rule to accept connection on port 51821/UDP => this works as I see they are connected in VPN > Wireguard > List Configurations
- Firewall > WG1 > Accept all trafic on WG1 interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)
On firewall log, on site B, when from site A I ping or nmap a host on site B:
- it passes on Site A to site B (firewall log from opnsense on site A)
- it's denied on WG1 in site B (firewall log from opnsense on site A) - with label "Default deny rule"
So what's the next rule ot add ? It must be a LAN to WG1 kind of rule but don't know how to implement it
Hope I provided enought details and if I can improve the docs once solved, I'll be happy to contribute to it.