Wireguard site-to-site from OPNSense to other wireguard server

Started by Bytechanger, January 20, 2021, 09:36:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 20, 2021, 09:36:44 AM
Hi,

I want to connect my OPNSense-Wireguard as "vpn-client" to an other wireguard-server.
I´ve aleready read wireguard docu site to site, but it doesn´t work.

This ist my config file, on windows-wireguard-connector it runs perfectly
Now I want to connect with OPNSense to the server
Code Select

[Interface]
ListenPort = 55522
PrivateKey = pv123
Address = 10.100.100.37/31

[Peer]
PublicKey = pub123
EndPoint = XX.XX.XX.XX:55522
AllowedIPs = 10.1.3.0/24
PersistentKeepalive = 10


I created at Local->Server:
Code Select

Public Key    pub123 (Key from Config file)
Private Key   pv123   (Key from Config file)
ListenPort     55522
TunnelAddress 10.100.100.37/31
Peers              MyPeer


I created at Endpoints:
Code Select

Name       MyPeer
PublicKey  pub123 (Key from Config file)
Allowed IPs 10.1.3.0/24
Endpoint Address  XX.XX.XX.XX:55522
Enpoint Port          55522
Keepalive 10


But it doesn´t work...

On Firewall I set Rule Wireguard pass all

Pls help.


Greets

Byte
January 20, 2021, 10:42:13 AM #1
Do you see any traffic on that connection?
Are there any handshakes in VPN: WireGuard in the tab Handshakes?
,,The S in IoT stands for Security!" :)
January 20, 2021, 10:50:48 AM #2
Nope,

Handshakes:
Code Select

wg1 pub123 0


List Configuration
Code Select

interface: wg1
  public key: anohter pubkey!
  private key: (hidden)
  listening port: 55522

peer: pub123
  endpoint: XX.XX.XX.XX:55522
  allowed ips: 10.1.3.0/24
  transfer: 0 B received, 3.76 KiB sent
  persistent keepalive: every 10 seconds


All Howtos I saw was to set site2site to OPNSense and nothing got config to set on ONE OPNSense.
An Wireguard-Server I can´t set anything.

Greets

Byte
January 20, 2021, 11:04:58 AM #3
Did you enable the WireGuard service in the general tab?
Do you allow traffic on the WAN interface to the WireGuard port?
,,The S in IoT stands for Security!" :)
January 20, 2021, 11:21:42 AM #4 Last Edit: January 20, 2021, 11:24:03 AM by Bytechanger
Wireguard is enabled, I have a second wireguard server running on OPNSense as roadwarrior, this works fine.

And NO I don´t want allow Traffic over WAN to THIS wireguard, because it´s should be a wireguard client!

Traffic should go OUT over WAN to Wireguard-server and backwards it´s allowed by default (stateless firewall).
So when I start wireguard on my desktop-pc, I don´t have to open a WAN port to get a connection, it´s an outgoing connection.

OPNSense should connect AS CLIENT to the wireguard server on the other side!


Greets

Byte
January 20, 2021, 12:03:18 PM #5
OK,
looking at the intern config of wireguard in OPNSense looks good:

Code Select

sudo cat ls /usr/local/etc/wireguard/wg1.conf

[Interface]
Address = 10.100.100.37/31
ListenPort = 55522
PrivateKey = pv123

[Peer]
PublicKey = pub123
AllowedIPs = 0.1.3.0/24
Endpoint = XX.XX.XX.XX:55522
PersistentKeepalive = 10

January 20, 2021, 12:24:09 PM #6
You should see traffic leaving your OPNsense box then. Have a look in the Firewall: Log Files: Live View

There should be traffic towards the endpoint you defined. It should be covered by the "Let out anything from firewall host itself".
,,The S in IoT stands for Security!" :)
January 20, 2021, 02:05:59 PM #7
Mildyl OT, but is "PersistentKeepalive = 10" the standard used by opnsense?

kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 20, 2021, 08:13:21 PM #8
Make sure you don't have any other site to site VPN's enabled while trying to get this to work between the sites. I had an OpenVPN vpn between the two sites up while trying to get this to work and no traffic would pass through the Wireguard VPN. Once I disabled the OpenVPN vpn everything worked.
Print
Go Up Pages1
User actions