[SOLVED] Wireguard Site2Site not working

Started by DrZoidberg, August 04, 2023, 11:33:00 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 05, 2023, 03:31:09 PM #15 Last Edit: August 05, 2023, 03:51:34 PM by Maurice
In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 05, 2023, 07:34:41 PM #16
Thank you so much! AVM is sometimes really handy, but also pretty weird. I will let you know once I have access to the router. Problem is also that every change needs to be confirmed with a physical feedback from the user.

One side question if I may ask: Why isnt it possible to overrule the firewall an let traffic from 10.0.0.5 in? It may be not secure or advisable etc. but why is there no way to force allow it?
August 05, 2023, 07:42:37 PM #17
You could allow it by creating stateless firewall rules. A "normal" stateful rule will fail because the address mismatch causes a state violation.

Whether your hosts accept replies from an address other than the address they sent the request to is a different question. In most cases probably not.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 27, 2023, 09:20:10 PM #18
Quote from: Maurice on August 05, 2023, 03:31:09 PM
In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]

This setup considering the comment you made keeping the same interface address did it. Thank you!
Print
Go Up Pages 1 2
User actions