[SOLVED] Doc unclear for Wireguard Site-2-Site

Started by knebb, August 19, 2023, 07:14:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2023, 07:14:06 AM Last Edit: August 27, 2023, 09:21:23 PM by knebb
Hi,

I am trying to set up a S2S VPN with Wireguard. Unfortunately the documentation is a little bit unclear for me.

It states I have to create a "local" entry on site 1. Then is written:
QuoteWhen this VPN is set up on OPNsense only do the same on the second machine and exchange the public keys.
So I have to create a "local" entry on the second side. Makes sense so far but what is meant with "exchange the public keys"? When I create a local it will generate a different public key but where do I have to put the exchanged public keys? On the endpoint-entry?
Later I have to select the created endpoint in the local entry- but isn't this the endpoint from the other site (With different key?)?

I am confused here...  :o

Thanks!

/KNEBB

August 19, 2023, 02:23:09 PM #1
opn1 - create local instance (name eg. wg1-opn1)
opn2 - create local instance (name eg. wg1-opn2)

opn1 - create Endpoint (name eg. wg1-opn2), insert the public key from the local instance opn2
opn2 - create Endpoint (name eg. wg1-opn1, insert the public key from the local instance opn1

Dont forget to select the peers in the local instance config and activate wireguard.

Hardware:
DEC740
August 27, 2023, 08:54:10 PM #2
Hi,

looks like it got some way better, indeed.

This is what I am getting on the console:
Code Select
root@opnsense1:~ # wg show all
interface: wg1
  public key: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
  private key: (hidden)
  listening port: 1199

peer: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
  endpoint: 192.168.22.156:1198
  allowed ips: 192.168.0.0/16
  latest handshake: 4 minutes, 23 seconds ago
  transfer: 66.57 KiB received, 88.05 KiB sent


And on the second:
Code Select
root@opnsense2:~ # wg show all
interface: wg2
  public key: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
  private key: (hidden)
  listening port: 1198

peer: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
  endpoint: 192.168.22.157:1199
  allowed ips: 192.168.0.0/16
  latest handshake: 5 minutes, 40 seconds ago
  transfer: 68.39 KiB received, 70.67 KiB sent


So I tend to say the tunnel is up, isn't it?

But I can not even ping the "other side":
Code Select
root@opnsense2:~ # ping 10.200.0.1
PING 10.200.0.1 (10.200.0.1): 56 data bytes
ping: sendto: Capabilities insufficient
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 ccf7   0 0000  40  01 981f 10.200.0.2  10.200.0.1

So I guess there might be some firewall rules waiting to be implemented, right?
I addedd two "Allow ALL" rules to the Firewall - Wireguard (Group) on both sides but still no luck.

Any ideas what is wrong here?

Thanks!
/KNEBB

August 27, 2023, 09:11:38 PM #3
Nevermind. I edited the field "Allowed IPs" and it apears to be working somehow.

I have to elaborate what IP ranges I have to set there (remote? local?) but at least it apears to be working.
August 27, 2023, 09:25:58 PM #4
Your Allowed IP range 192.168.0.0/16 includes the Endpoint IPs 192.168.22.156 - 157.

If you do that there can be handshake and traffic problems because the packets for the handshakes will be pushed through the wireguard tunnel by the route "192.168.0.0/16 next hop wg".

Make sure the endpoint IPs aren't in the same subnet as the allowed IPs.
Hardware:
DEC740
August 28, 2023, 06:00:04 PM #5
Hi,

thansk for the advice. I haven't had time to check again. So am I right I put here the remote network ranges in?

Thanks!

/KNEBB
Print
Go Up Pages1
User actions