WireGuard: Routing site-to-site

Started by euant, January 19, 2023, 04:05:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 19, 2023, 04:05:58 PM
I've just set up a brand new install of OpnSense 22.7.11 and followed the WireGuard Site-to-Site Setup guide. However, clients on my LAN cannot ping remote IPs nor can I ping them from OpnSense unless I specifically set the Source Address.

I have an existing pfSense setup which I'm conencting to.

My existing network has several networks accessible via WireGuard (provable using WireGuard on a laptop or mobile - I can access the required networks) such as "192.168.3.0/24".

I've configured an Endpoint in the WireGuard config with this network in the "Allowed IPs", and can see that in "System > Routes > Status" there is a route for "192.168.3.0/24" going down the WireGuard interface.

If I go to "Interfaces > Diagnostics > Ping" and ping a host on this network with the "Source Address" set to the WireGuard interface, I get a response. If I leave the "Source Address" set to "Default" or set it to "LAN", I don't get a response.

Any ideas?
January 19, 2023, 08:37:46 PM #1
Screenshots please :)
January 19, 2023, 09:09:58 PM #2
Quote from: euant on January 19, 2023, 04:05:58 PM

I have an existing pfSense setup which I'm conencting to.

I've configured an Endpoint in the WireGuard config with this network in the "Allowed IPs", and can see that in "System > Routes > Status" there is a route for "192.168.3.0/24" going down the WireGuard interface.


So then you know the wireguard plugin is vastly better in pfSense. Being so the setup is a lot different.
One thing is Wireguard doesn't add routes automatically, are you sure the route exists?
Did you add interfaces for the tunnel? Gateway?
I would try to follow the pfSense guide and try to get through it that way.
January 20, 2023, 09:20:06 AM #3
Yep, I added an interface for the tunnel, but no manual routing config or gateway config.

Screenshots incoming:

January 20, 2023, 12:07:35 PM #4
Firewall Rules on the interface and WG group interface?
January 20, 2023, 12:23:13 PM #5
Firewall rules are to pass everything with a wildcard source and destination for both the specific and WG group interface.
January 20, 2023, 12:53:13 PM #6
Is that subnet involved in any other rules that would effect this?
Floating maybe?
January 20, 2023, 06:34:10 PM #7
Via CLI

/usr/local/etc/rc.d/wireguard restart
Print
Go Up Pages1
User actions