Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
WireGuard Road Warrior: peers don't see each other
« previous
next »
Print
Pages: [
1
]
Author
Topic: WireGuard Road Warrior: peers don't see each other (Read 2390 times)
horyzon
Newbie
Posts: 2
Karma: 0
WireGuard Road Warrior: peers don't see each other
«
on:
October 09, 2022, 09:16:45 pm »
Hello everyone,
I am new to OPNSense, coming from dd-wrt and openwrt experiences in various flavours
I tried to configure a Wireguard road warrior service, where the wg gateway is opnsense itself
I followed the offical guide here:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
with the standard procedure, but I tried even creating a dedicated interface, the issue is the same:
the peers don't see each other nor see their open ports
note that:
- every peer can connect to the opnsense wg gateway correctly
- wg gateway can ping the peers and the peers can ping the gateway
- a dedicated firewall rule in the wg interface (or in wireguard group) allows in/out transition from and to the /24 subnet of wg set by an alias
- when a peer tries to access a port on another peer, the firewall logs succesfully the passing packets, but still the peers can't establish a connection
- the routes for every peer are correctly appearing on System->Routes
opnsense packet capture shows a peer transmitting and retransmitting the same packet and having no response, this happens for every peer trying to communicate with a peer
the dst peer shows no trace of the packet sent
I really can't figure out what is the problem, can you help me?
«
Last Edit: October 09, 2022, 10:41:35 pm by horyzon
»
Logged
bartjsmit
Hero Member
Posts: 2008
Karma: 194
Re: WireGuard Road Warrior: peers don't see each other
«
Reply #1 on:
October 10, 2022, 09:12:57 am »
Not a direct answer to your question but I have had very good results with tailscale which is free for up to 20 endpoints. There is a FOSS self hosted version (headscale) for purists and misers with loads of pals.
https://tailscale.com/
https://github.com/juanfont/headscale
Bart...
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: WireGuard Road Warrior: peers don't see each other
«
Reply #2 on:
October 10, 2022, 12:16:44 pm »
On each client, what are the Allowed IPs?
Logged
RamSense
Hero Member
Posts: 594
Karma: 10
Re: WireGuard Road Warrior: peers don't see each other
«
Reply #3 on:
October 10, 2022, 01:10:55 pm »
I used this guide when setting it up in the past. follow the steps and see where yours differs:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
Logged
horyzon
Newbie
Posts: 2
Karma: 0
Re: WireGuard Road Warrior: peers don't see each other
«
Reply #4 on:
October 11, 2022, 02:58:52 am »
guys thanks for your answers, you made me think a lot about what I was doing wrong
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:
before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option
with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'
the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface
for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers
«
Last Edit: October 11, 2022, 03:06:32 am by horyzon
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6721
Karma: 566
Re: WireGuard Road Warrior: peers don't see each other
«
Reply #5 on:
October 11, 2022, 09:11:08 am »
Yep. In most cases in a hub and spoke topology you want allowed IP /32 on the central hub for all individual peers and allowed IP /24 (or whatever the size) on the peers themselves. This is for the tunnel network proper. If you have site to site connections, then of course add all necessary remote networks to the lists.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
WireGuard Road Warrior: peers don't see each other