WireGuard Site-to-Site connectivity issue

Started by SylvainB53, April 29, 2025, 12:36:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 29, 2025, 12:36:58 PM
Hello everyone,

I'm setting up a site-to-site VPN between two sites using WireGuard on OPNsense.

Here is a diagram of my setup:


Code Select
                   VPN Site-to-Site (WireGuard)
                   ============================

                        Internet
                            |
                            |
                    ------------------
                    |                |
              [WAN IP]         [WAN IP]
          198.51.100.1       203.0.113.1
            (Site A)            (Site B)
                    |                |
            -----------------  -----------------
            |  OPNsense A   |  | OPNsense B       |
            |---------------|  |------------------|
            | LAN IP:       |  | LAN IP:          |
            | 192.168.10.253|  | 192.168.20.253   |
            | WG IP:        |  | WG IP:           |
            | 10.2.2.1      |  | 10.2.2.2         |
            -----------------  ------------------
                    |                |
        ------------------  ------------------
        | LAN Site A       |  | LAN Site B        |
        | 192.168.10.0/24  |  | 192.168.20.0/24   |
        ------------------  ------------------

Problem:

From OPNsense A, I can successfully ping LAN devices on Site B.

From OPNsense B, I can successfully ping LAN devices on Site A.

But from LAN Site A, I cannot reach devices on LAN Site B, and vice-versa.

Notes:

The WireGuard interfaces are properly assigned and enabled on both sides.

The firewalls have "allow all" rules on LAN and WireGuard interfaces for testing.

Each LAN device uses the local OPNsense router as its gateway (192.168.10.253 and 192.168.20.253).

The OPNsense VMs are hosted on XCP-ng servers at both sites.

Question:

What could be preventing direct LAN-to-LAN communication if the OPNsense boxes themselves can already talk across the tunnel?

Thanks in advance for your help!
April 29, 2025, 12:53:26 PM #1
What are the "AllowedIPs" for the respective peer on each side?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 29, 2025, 01:07:11 PM #2
Quote from: Patrick M. Hausen on April 29, 2025, 12:53:26 PMWhat are the "AllowedIPs" for the respective peer on each side?

On site A : 10.2.2.2/32 and 192.168.20.0/24
On site B : 10.2.2.1/32 and 192.168.10.0/24
April 29, 2025, 01:13:44 PM #3
Looks good. "Disable routes" is not checked?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 29, 2025, 01:29:27 PM #4
Quote from: Patrick M. Hausen on April 29, 2025, 01:13:44 PMLooks good. "Disable routes" is not checked?

Thanks, I just checked, it's unchecked on both sides.
April 29, 2025, 01:36:18 PM #5
Then - no idea why it does not work. Try a packet capture on both ends of the tunnel and the LAN interfaces.

Wild guess: does your allow rule on LAN explicitly set a gateway? It should not.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 29, 2025, 01:39:55 PM #6
Thanks,

No explicit gateway on allow rule. I'll try to debug with a packet capture. I'll be back ;)
April 29, 2025, 03:09:36 PM #7
Update after further testing:

I ran a packet capture on Site A (OPNsense), LAN interface, while pinging 192.168.20.250 from a client (192.168.10.80) on the LAN.
Here's a sample from the capture:

Code Select
192.168.10.80 > 192.168.20.250: ICMP echo request 
192.168.20.250 > 192.168.10.80: ICMP echo reply
This confirms that:

✅ The ICMP request is leaving the client and reaching the remote site
✅ The ICMP reply is coming back through the WireGuard tunnel and reaching OPNsense Site A

Then, I ran a tcpdump directly on the Linux client at 192.168.10.80, and here's the interesting part:

✅ I can see the ICMP echo requests going out

❌But I do not see the ICMP echo replies arriving

➤ Conclusion:
The echo reply reaches OPNsense but never makes it to the LAN client.

🔍 My other checks:
  • I verified that the LAN rule on Site A does not define a gateway (it's set to default — unchecked)
  • I reviewed the LAN firewall rules on Site A to ensure they allow traffic from 192.168.20.0/24 to LAN net
  • I also double-checked Outbound NAT to make sure no NAT is interfering with inter-site LAN traffic
  • And I'll make sure the client firewall (iptables or ufw) isn't dropping the reply silently

Let me know if there's anything else you recommend I check at this point — I feel like I'm close! 😅

Thanks again to everyone helping out
Print
Go Up Pages1
User actions