WireGuard Road Warrior: peers don't see each other

Started by horyzon, October 09, 2022, 09:16:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 09, 2022, 09:16:45 PM Last Edit: October 09, 2022, 10:41:35 PM by horyzon
Hello everyone,
I am new to OPNSense, coming from dd-wrt and openwrt experiences in various flavours
I tried to configure a Wireguard road warrior service, where the wg gateway is opnsense itself
I followed the offical guide here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
with the standard procedure, but I tried even creating a dedicated interface, the issue is the same:
the peers don't see each other nor see their open ports

note that:
- every peer can connect to the opnsense wg gateway correctly
- wg gateway can ping the peers and the peers can ping the gateway
- a dedicated firewall rule in the wg interface (or in wireguard group) allows in/out transition from and to the /24 subnet of wg set by an alias
- when a peer tries to access a port on another peer, the firewall logs succesfully the passing packets, but still the peers can't establish a connection
- the routes for every peer are correctly appearing on System->Routes

opnsense packet capture shows a peer transmitting and retransmitting the same packet and having no response, this happens for every peer trying to communicate with a peer
the dst peer shows no trace of the packet sent

I really can't figure out what is the problem, can you help me?
October 10, 2022, 09:12:57 AM #1
Not a direct answer to your question but I have had very good results with tailscale which is free for up to 20 endpoints. There is a FOSS self hosted version (headscale) for purists and misers with loads of pals.

https://tailscale.com/
https://github.com/juanfont/headscale

Bart...
October 10, 2022, 12:16:44 PM #2
On each client, what are the Allowed IPs?
October 10, 2022, 01:10:55 PM #3
I used this guide when setting it up in the past. follow the steps and see where yours differs:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
Deciso DEC850v2
October 11, 2022, 02:58:52 AM #4 Last Edit: October 11, 2022, 03:06:32 AM by horyzon
guys thanks for your answers, you made me think a lot about what I was doing wrong
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:

before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option

with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'

the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface

for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers
October 11, 2022, 09:11:08 AM #5
Yep. In most cases in a hub and spoke topology you want allowed IP /32 on the central hub for all individual peers and allowed IP /24 (or whatever the size) on the peers themselves. This is for the tunnel network proper. If you have site to site connections, then of course add all necessary remote networks to the lists.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions