WG Site-to-site - only RDP and VNC work

Started by kss, June 12, 2022, 07:07:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 12, 2022, 07:07:22 AM
I have setup a site-to-site WG VPN that somewhat works --

Names resolve correctly on on both LANs across the VPN. RDP and VNC work flawlessly on machines on either LAN to access remote hosts by name.

However, ping times out and I am unable to browse shares on the computers across the VPN either by name or IP address.

I only have a PASS rule to allow IPv4 UDP between the firewalls; I suspect that I need another PASS rule on both sides to allow other IPv4 traffic into the LAN across the VPN.

Any pointers on what this rule(s) are would be helpful. Should this rule be between the two LANs or the firewalls? Which protocols? Which interface? Do I need to manually setup an outbound-NAT rule? I am somewhat new to this and I don't want to accidentally open up the two networks to the world! Thanks.
June 12, 2022, 09:13:21 AM #1
Maybe you need a rule to allow TCP and UDP on the wireguard interface (or the wireguard group), and another one for ICMP if you want ping.
June 12, 2022, 02:31:36 PM #2
I will give it a try, but wouldn't the general rule that allows *any* traffic already cover this? I have this on the Wireguard (group) interface --
June 12, 2022, 10:14:52 PM #3
Adding an explicit "Allow ICMP" rule to the wireguard interface made no difference.
June 14, 2022, 07:26:18 AM #4 Last Edit: June 14, 2022, 07:27:50 AM by defaultuserfoo
Quote from: kss on June 12, 2022, 02:31:36 PM
I will give it a try, but wouldn't the general rule that allows *any* traffic already cover this? I have this on the Wireguard (group) interface --

Yes, that should work.

Are you sure that the devices you're trying to ping do answer pings at all?
June 14, 2022, 08:33:49 PM #5 Last Edit: June 14, 2022, 08:44:12 PM by kss
Yes, the devices on the two LANs respond to pings within their own subnets; Pings across the VPN time out but the names resolve to the correct IP addresses.

It is still weird that I can connect to any machine on the "other" side by name via RDP or VNC -- but cannot directly browse their shared folders.

Wonder if if I need some kind of outbound NAT -- I shouldn't need it according to the documentation because the WG interface is assigned and enabled. And I am not yet knowledgeable enough to know what/how to go about it!
June 14, 2022, 11:20:44 PM #6
You could take a look at the firewall log and/or make a packet capture to figure out what happens to these ICMP packages.  You don't need to set up any NAT for that.
Print
Go Up Pages1
User actions