OPNsense Wireguard S2S

[spetrillo]

Hello all,

I have an OPNsense firewall on either side of what I want to be a S2S connection using Wireguard. On site A I am showing the following:

interface: wg2
  public key:
  private key: (hidden)
  listening port: 51822

peer:
  endpoint: :51824
  allowed ips: 10.0.2.0/24, 10.0.1.0/24
  transfer: 0 B received, 2.89 KiB sent

I am not seeing anything passed over wg2. Am I correct in that the interface wg2 is the router's interface and the peer is the other side? I never see wg2 listed in the handshake on the other side. What could I be doing wrong?

Thanks,
Steve

[jomo79]

both sides on the same port and both sides the public key from the other side and it will work

[spetrillo]

Do the IPs on each side need to be on the same subnet? Second on one side my OPNsense firewall is behind another firewall. Do I need to port forward from the firewall?

[Patrick M. Hausen]

The IP addresses of the tunnel interfaces or the IP addresses of the networks you want to connect?

1. You do not need IP addresses on the tunnel interfaces unless the firewalls themselves need to send traffic through the tunnel.
2. The networks you want to connect on both sides must be different and must not overlap.
3. If you use a network for the tunnel interfaces it also must be different and must not overlap.

[spetrillo]

OK so here is what I got:

Site A (My Home)
Listen Port: 51821
Tunnel Address: 10.0.0.3/24
Endpoint Allowed IPs: 10.0.1.0/24
Endpoint Port: 51821
This side comes up fine!

Site B (My Club)
Listen Port: 51821
Tunnel Address: 10.0.0.2/24
Endport Allowed IPs: 192.168.1.0/24, 192.168.2.0/24
Endpoint Port: 51821
This side does not come up and is behind another router!

I have a port forward on the first router at the club for UDP 51821. Do I need a port forward from the OPNsense router up to the first router's IP address?

Thanks,
Steve