WireGuard Site to Site

[BrownCow]

First off, I understand that I might be doing this all wrong but I've tried to get myself as far as I can before asking for help.

I want to implement WireGuard in a site to site configuration and since I'm learning, I've decided to put it into OpnSense first. Later I might install it bare metal.

Both setups are ISP Modem -> Asus Router. I still want to use both Asus routers for everything they currently do. As such I only want OpnSense to run WireGuard and nothing more.

I followed this guide up until Step 3. https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Both instances of WireGuard initiate and stay that way so it appears I have done something right. Neither have WAN interfaces but both can ping the internet through the existing LAN. I can't ping from one network to the other. I do have an existing OpenVPN server running on one site and can log into it from the other. (Should I stop the OpenVPN server?) Both networks are using the same DHCP range but their servers assign to different subsets.

Running WireGuard from terminal produces:

• rm -f /var/run/wireguard/wg0.sock
  
• resolvconf -d wg0
  
• wireguard-go wg0
  INFO: (wg0) 2020/12/14 06:53:51 Starting wireguard-go version 0.0.20201118
  
• wg setconf wg0 /tmp/tmp.vHeA3nWe/sh-np.Idyy4J
  
• ifconfig wg0 inet 192.168.5.1/24 192.168.5.1 alias
  
• ifconfig wg0 mtu 1420
  
• ifconfig wg0 up
  
• resolvconf -a wg0 -x
  
• route -q -n add -inet 192.168.5.2/32 -interface wg0
  
• route -q -n add -inet 192.168.1.0/32 -interface wg0
  
• Backgrounding route monitor
  
  and
  
  
• rm -f /var/run/wireguard/wg0.sock
  
• resolvconf -d wg0
  
• wireguard-go wg0
  INFO: (wg0) 2020/12/14 06:57:15 Starting wireguard-go version 0.0.20201118
  
• wg setconf wg0 /tmp/tmp.fKJLL0pk/sh-np.2X3j2S
  
• ifconfig wg0 inet 192.168.5.2/24 192.168.5.2 alias
  
• ifconfig wg0 mtu 1420
  
• ifconfig wg0 up
  
• resolvconf -a wg0 -x
  
• route -q -n add -inet 192.168.5.1/32 -interface wg0
  
• route -q -n add -inet 192.168.1.0/32 -interface wg0
  
• Backgrounding route monitor
  
  The config files are:
  
  [Interface]
  Address = 192.168.5.1/24
  DNS = 192.168.1.250
  ListenPort = 51820
  PrivateKey = {randomstring}=
  [Peer]
  PublicKey = {randomstring}=
  AllowedIPs = 192.168.1.0,192.168.5.2
  Endpoint = {correctWANip}:51820
  
  and
  
  [Interface]
  Address = 192.168.5.2/24
  DNS = 192.168.1.240
  ListenPort = 51820
  PrivateKey = {randomstring}=
  [Peer]
  PublicKey = {randomstring}=
  AllowedIPs = 192.168.5.1,192.168.1.0
  Endpoint = {correctWANip}:51820
  
  All keys end in an equals sign. (is that correct?)
  
  Both state in VPN -> WireGuard -> Handshakes = 0.
  
  I haven't added any routes or anything to the firewall as WireGuard isn't using a Wan interface (I understand this could be the problem).
  
  Like I said, I'm new to this so understand I might have a fundamental problem that I can't see.

[Greelan]

Try changing the AllowedIPs to CIDR notation, eg 192.168.5.1/32

[BrownCow]

Thanks. I just tried that but I'm still not getting a handshake and still can't ping from one vm to the other.

[Greelan]

Quite possibly a routing issue as you have guessed. I haven't implemented WG on a host behind my firewall, only on the OPNsense firewall itself, so haven't got any immediate ideas for your scenario

[BrownCow]

Thanks. I'll keep plugging away and hopefully someone might have an idea.

[Greelan]

Have you thought about port forwarding on your router? Incoming requests on the WG port need to be directed to the WG host

[BrownCow]

On both routers I have forwarded port 51820 from all addresses to the relevant VM.

I also turned off the firewalls on both routers (temporarily) but that didn't help either.