Wireguard is connected, but not traffic

Started by KorschanX, December 25, 2020, 12:29:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 25, 2020, 12:29:10 AM
Hi there,

I would like to connect my local opnsense to my remote opnsense using wireguard.
Successfully configured the remote site - all remote clients are reachable by using wireguard-client for windows.

Now I want to set up my local opnsense to use the same configuration - did so, wireguard seems to be connected and handshaking. I can even ping the remote clients by opnsense (interfaces / diagnoses / ping ... using wg0 interface). Just working fine.

By using a client in my local network, the remote clients are still unreachable.
WireGuard/wg0-interface firewall settings set on any/any

Dont know what to do. Using the Wireguard Windows Client is just working fine.
December 25, 2020, 05:01:53 AM #1
Check you added a route both sides for the clients

Eg if topologoy is:

LanA 192.168.1.x —— opnsenseA —— opensenseB —— LanB 192.168.2.x

Then for a client on lan A either default route must be opensenseA or route print shows 192.168.2.x on client
OpensenseA must allow on lan a rule for wireguard traffic to remote site and opposite direction also on wireguard side.
Same for opensenseb
Client on lanB same story - default route to opnsenseB or route print shows 1.x on client.

If any step missing then likely an issue. 

When satisfied all is correct you must be able to traceroute from a client either side and hit expected path all the way along.

P
December 25, 2020, 05:11:37 AM #2 Last Edit: December 25, 2020, 05:13:22 AM by allebone
Also under endpoints tab - Allowed IPs - ensure you have both networks listed appropriately on each side. This is what is allowed to route over the tunnel.

A single client would work with only 1 entry listed. This is not appropriate for clients behind the opnsense.
December 25, 2020, 10:49:53 AM #3
Quote from: allebone on December 25, 2020, 05:11:37 AM
Also under endpoints tab - Allowed IPs - ensure you have both networks listed appropriately on each side. This is what is allowed to route over the tunnel.

A single client would work with only 1 entry listed. This is not appropriate for clients behind the opnsense.

Thank you! This was my mistake.

I just had to add my local net to remote sites allowed IP adresses.
Print
Go Up Pages1
User actions