Not reaching clients on remote site (wireguard vpn on linux server)

[enmi]

Hi,

I'm having some difficulties with getting a wireguard setup to work fully. My current setup is a wireguard server on the lan, with a opnsense port forwarding to it. on a remote site i have a 3g-modem with wireguard client. I have the wireguard connection up and running, but i can only ping from the client on the remote site to the server and other pc-s on the 172.16.10.0/24 network. If i try to ping the 10.0.22.0/24 network i get no answer i have tried by setting up the wireguard server as a gateway and making a static route but that does not seem to work...

any ideas?

Best regards
Michael

[Monviech (Cedrik)]

Could you post the wireguard configuration files of both sides? (With omitted keys)

[enmi]

Hi,

Hopefully this is the right information:


Settings on server running wg-easy (https://github.com/wg-easy/wg-easy)

Code Select Expand


# Server
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXX
Address = 10.8.0.1/24
ListenPort = 51820
PreUp =
PostUp =  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PreDown =
PostDown =

# Client: WorkLaptop ()
[Peer]
PublicKey = XX
PresharedKey = XX
AllowedIPs = 10.8.0.6/32


Settings in teltonika modem:

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

Static routes to public ip address

[Monviech (Cedrik)]

On your wireguard server you have to add 10.0.22.0/24 to the allowed IPs, or the traffic is not allowed to that net. But this is not an OPNsense problem. It's entirely wireguard that's not configured right.

EDIT: Also it might be just better to use the unbuilt wireguard server in the OPNsense so you don't have routing Problems.
Right now if the traffic is sent to 10.0.22.0/24 it gets sent to the OPNsense (as its the default gateway), and there it would need a route to the wireguard servers IP address 172.16.10.10. But then there can be asymmetric traffic because all clients in that net would then try to go directly to the wireguard server after having communicated with their default gateway first.

[enmi]

I will test that, the installation guide for wg-easy says the default is:

Allowed ips = 0.0.0.0/0, ::/0

But i can restart the docker container, and add some allowed ips.

This is just for testing purposes and the plan is to run this from a vps/cloud solution. So i dont want to lock myself into opnsense from the start...

[Monviech (Cedrik)]

You should put the wireguard server in a seperate VLAN then where it is the only host. And when clients send traffic to the remote wireguard net to their default gateway, the OPNsense needs a static route and firewall rules to allow the traffic to your wireguard VPN server.

That way you have no asymmetric routing.

[enmi]

Ok, so its not enough with defining a single gateway, and defining a route? (see attached images)

[Monviech (Cedrik)]

The problem is if you now initiate traffic from a host, eg 172.16.10.20, which is in the same layer 2 broadcast domain as the wireguard server 172.16.10.10 and the OPNsense 172.16.0.1, traffic would flow like this:

Forward Traffic: 172.16.10.20 -> 172.16.10.1 -> 172.16.10.10 -> 10.0.22.10
Return Traffic: 10.0.22.10 -> 172.16.10.10 -> 172.16.10.20

As you can see, the return traffic skips the OPNsense, but the client expects an answer from its default gateway 172.16.10.1 and not from 172.16.10.10. TCP Traffic has to be symmetric, Forward and Return Path have to be exactly the same. There will also be state violations in the OPNsense probably.

I always put VPN Gateways in seperate VLANs to avoid this.

[enmi]

Thank you, for describing the issue I will look into this.

I recently switched from pfsense to opnsense, and i must say if this is the kind of support I could expect I definitely did the right choice.

[Monviech (Cedrik)]

No problem, you could avoid all these routing issues though but just letting the OPNsense wireguard Server take over.

Here's a doc I wrote how to do a proper Wireguard Site2Site tunnel (just imagine one side as your other router and not an opnsense)

There's also some rules that fix MTU and MSS problems:

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html