WireGuard Road Warrior: peers don't see each other

[horyzon]

Hello everyone,
I am new to OPNSense, coming from dd-wrt and openwrt experiences in various flavours
I tried to configure a Wireguard road warrior service, where the wg gateway is opnsense itself
I followed the offical guide here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
with the standard procedure, but I tried even creating a dedicated interface, the issue is the same:
the peers don't see each other nor see their open ports

note that:
- every peer can connect to the opnsense wg gateway correctly
- wg gateway can ping the peers and the peers can ping the gateway
- a dedicated firewall rule in the wg interface (or in wireguard group) allows in/out transition from and to the /24 subnet of wg set by an alias
- when a peer tries to access a port on another peer, the firewall logs succesfully the passing packets, but still the peers can't establish a connection
- the routes for every peer are correctly appearing on System->Routes

opnsense packet capture shows a peer transmitting and retransmitting the same packet and having no response, this happens for every peer trying to communicate with a peer
the dst peer shows no trace of the packet sent

I really can't figure out what is the problem, can you help me?

[bartjsmit]

Not a direct answer to your question but I have had very good results with tailscale which is free for up to 20 endpoints. There is a FOSS self hosted version (headscale) for purists and misers with loads of pals.

https://tailscale.com/
https://github.com/juanfont/headscale

Bart...

[Greelan]

On each client, what are the Allowed IPs?

[RamSense]

I used this guide when setting it up in the past. follow the steps and see where yours differs:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

[horyzon]

guys thanks for your answers, you made me think a lot about what I was doing wrong
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:

before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option

with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'

the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface

for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers

[Patrick M. Hausen]

Yep. In most cases in a hub and spoke topology you want allowed IP /32 on the central hub for all individual peers and allowed IP /24 (or whatever the size) on the peers themselves. This is for the tunnel network proper. If you have site to site connections, then of course add all necessary remote networks to the lists.