[SOLVED] Doc unclear for Wireguard Site-2-Site

[knebb]

Hi,

I am trying to set up a S2S VPN with Wireguard. Unfortunately the documentation is a little bit unclear for me.

It states I have to create a "local" entry on site 1. Then is written:

When this VPN is set up on OPNsense only do the same on the second machine and exchange the public keys.

So I have to create a "local" entry on the second side. Makes sense so far but what is meant with "exchange the public keys"? When I create a local it will generate a different public key but where do I have to put the exchanged public keys? On the endpoint-entry?
Later I have to select the created endpoint in the local entry- but isn't this the endpoint from the other site (With different key?)?

I am confused here... 

Thanks!

/KNEBB

[Monviech (Cedrik)]

opn1 - create local instance (name eg. wg1-opn1)
opn2 - create local instance (name eg. wg1-opn2)

opn1 - create Endpoint (name eg. wg1-opn2), insert the public key from the local instance opn2
opn2 - create Endpoint (name eg. wg1-opn1, insert the public key from the local instance opn1

Dont forget to select the peers in the local instance config and activate wireguard.

[knebb]

Hi,

looks like it got some way better, indeed.

This is what I am getting on the console:

Code: [Select]

root@opnsense1:~ # wg show all
interface: wg1
  public key: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
  private key: (hidden)
  listening port: 1199

peer: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
  endpoint: 192.168.22.156:1198
  allowed ips: 192.168.0.0/16
  latest handshake: 4 minutes, 23 seconds ago
  transfer: 66.57 KiB received, 88.05 KiB sent

And on the second:

Code: [Select]

root@opnsense2:~ # wg show all
interface: wg2
  public key: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
  private key: (hidden)
  listening port: 1198

peer: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
  endpoint: 192.168.22.157:1199
  allowed ips: 192.168.0.0/16
  latest handshake: 5 minutes, 40 seconds ago
  transfer: 68.39 KiB received, 70.67 KiB sent

So I tend to say the tunnel is up, isn't it?

But I can not even ping the "other side":

Code: [Select]

root@opnsense2:~ # ping 10.200.0.1
PING 10.200.0.1 (10.200.0.1): 56 data bytes
ping: sendto: Capabilities insufficient
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 ccf7   0 0000  40  01 981f 10.200.0.2  10.200.0.1
So I guess there might be some firewall rules waiting to be implemented, right?
I addedd two "Allow ALL" rules to the Firewall - Wireguard (Group) on both sides but still no luck.

Any ideas what is wrong here?

Thanks!
/KNEBB

[knebb]

Nevermind. I edited the field "Allowed IPs" and it apears to be working somehow.

I have to elaborate what IP ranges I have to set there (remote? local?) but at least it apears to be working.

[Monviech (Cedrik)]

Your Allowed IP range 192.168.0.0/16 includes the Endpoint IPs 192.168.22.156 - 157.

If you do that there can be handshake and traffic problems because the packets for the handshakes will be pushed through the wireguard tunnel by the route "192.168.0.0/16 next hop wg".

Make sure the endpoint IPs aren't in the same subnet as the allowed IPs.

[knebb]

Hi,

thansk for the advice. I haven't had time to check again. So am I right I put here the remote network ranges in?

Thanks!

/KNEBB