Wireguard with multiple Endpoints not working

[Demusman]

That's why I said "appears". We haven't been given the info on the subnets that have been otherwise configured on OPNsense. If 10.0.0.0/8 is just being used as a shorthand to pick up a bunch of otherwise unique subnets, then fine.

The real issue then is the allowed IPs that have configured in the OPNsense endpoint configs, as per my original comment.

Then you shouldn't have said "That won't work". 

[cds]

So,
if I understand right:

peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds


should work (10.98.0.0/24 is only used for WG peers).

So far so good. Now I have a new effect:

10.98.0.11 can ping 10.11.1.1 (Endpoint of VPN), but not access it's Webpage.
If peer 2 is the only peer, and allowed ips: 10.0.0.0/8 is used this works.
Any hints?

[Greelan]

Have you added firewall rules for WG on OPNsense?

[Greelan]

Then you shouldn't have said "That won't work". 

This is really how you want to spend your time?

[cds]

Yes, in and out everything allowed.

BTW, access to 10.1.1.0/24 works fine ...

[Greelan]

What's the config on that peer itself?

[Demusman]

So,
if I understand right:

peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds


should work (10.98.0.0/24 is only used for WG peers).

So far so good. Now I have a new effect:

10.98.0.11 can ping 10.11.1.1 (Endpoint of VPN), but not access it's Webpage.
If peer 2 is the only peer, and allowed ips: 10.0.0.0/8 is used this works.
Any hints?

You're still not allowing any of your subnets through the tunnel. You won't be able to access anything outside the tunnel.

[Demusman]

Then you shouldn't have said "That won't work". 

This is really how you want to spend your time?

Just pointing out that you gave some misinformation and instead of you just admitting that, you make an excuse.
Am I wrong?

[Greelan]

Am I wrong?

Yes.

If you want to talk about misinformation, your most recent post will cause confusion. The OP doesn't need to add the local networks to the allowed IPs in the endpoint configs on OPNsense. The OP does however need to add them to the peer allowed IPs on the peers themselves - so that the peers know that they access 10.0.0.0/8 at the OPNsense end via the tunnel. See my earlier comments. This is why I asked to see the WG configs on the peers themselves.

[Demusman]

Ok. Have it your way.


peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds

[Greelan]

BTW, OP, you don't need to specify an endpoint IP and port in the endpoint configs on OPNsense, if the peers are the ones initiating connections to OPNsense rather than the other way around.

If OPNsense is initiating connections to the peers, then you need to specify a public IP and port that they are accessible on, rather than the tunnel IP.

[Demusman]

Good cleanup.