Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
WG S2S Between Two OPNsense Firewalls
« previous
next »
Print
Pages: [
1
]
Author
Topic: WG S2S Between Two OPNsense Firewalls (Read 926 times)
spetrillo
Hero Member
Posts: 721
Karma: 8
WG S2S Between Two OPNsense Firewalls
«
on:
August 09, 2023, 07:21:19 pm »
Hello all,
Have a curious one and hoping someone can point out to me what I am doing wrong. The S2S connection is up and somewhat working.
Site A (Where I am located)
Local Networks: 192.168.1.0/24, 192.168.2.0/24(carved up into 5 /27 subnets)
WG IP: 10.0.0.2/24
Endpoint: 10.0.0.1/24
Endpoint AllowedIPs: 10.0.1.1/24, 10.0.10.1/24
Port:51821
Site B
Local Networks: 10.0.1.0/24, 10.0.10.0/24(carved up into 3 /26 subnets)
WG IP: 10.0.0.1/24
Endpoint: 10.0.0.2/24
Endpoint AllowedIPs: 192.168.1.0/24, 192.168.2.0/24
Port: 51821
From site B I can ping Site A 192.168.2.99 from the source of Site B 10.0.1.1. This is the OPNsense interface IP. If I try to ping Site A 192.168.2.99 from the source of Site B 10.0.1.7 it fails. This is a PC on the subnet. I checked my routes at Site B and it shows that it knows how to get to the Site A 192.168.1.0/24 and 192.168.2.0/24 networks.
Not sure what I am doing wrong. If I can ping from the OPNsense interface I should be able to ping from a device on the same network.
Help,
Steve
«
Last Edit: August 09, 2023, 08:47:55 pm by spetrillo
»
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: WG S2S Bwtween Two OPNsense Firewalls
«
Reply #1 on:
August 09, 2023, 08:28:22 pm »
First screenshot: You can only set the source address to an address that is assigned to an OPNsense interface. That's what the error message says.
Also, you might be mixing up addresses inside and outside the tunnel. "Tunnel Address" and "Allowed IPs" is inside, "Endpoint Address" is outside. Your terminology doesn't really match, but if "WG IP" is "Tunnel Address" and "Endpoint" is "Endpoint Address", that won't work (same subnet inside and outside the tunnel).
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: WG S2S Bwtween Two OPNsense Firewalls
«
Reply #2 on:
August 09, 2023, 08:47:10 pm »
Thats really disappointing. I thought the diagnostic Ping would allow me to do this from a device on a particular interface subnet.
Attached is the local and endpoint setup from site A and then site B. I do not believe I am mixing things up but what do I know. Site A has a tunnel address of 10.0.0.2 and site B has a tunnel address of 10.0.0.1. From site B I want to be able to get to site A networks of 192.168.1.0/24 and 192.168.2.0/24. From site A I want to be able to get to site B networks of 10.0.1.0/24 and 10.0.10.0/24.
If I have not done it correctly what is wrong?
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: WG S2S Between Two OPNsense Firewalls
«
Reply #3 on:
August 09, 2023, 09:25:31 pm »
Looks good, except for the tunnel addresses not being included in the allowed IPs of the endpoint config on the other side. I'd recommend that, shouldn't be the root cause of your issue though.
Did you actually try to ping from 10.0.1.7 itself? There is no way OPNsense could make that device perform the ping test.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: WG S2S Between Two OPNsense Firewalls
«
Reply #4 on:
August 09, 2023, 09:40:55 pm »
I did it from another device...but with all the changes I made I am not sure where I am at this point.
I have added the tunnel IPs to the AllowedIPs list, as a /32 address. I am going to fire up a vm at site B and see what I can figure out.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
WG S2S Between Two OPNsense Firewalls