Routing traffic through central Wireguard node

Started by dannyyy, December 10, 2023, 05:02:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 10, 2023, 05:02:19 PM
Hi,

I have the following - simplified - network topology:
Code Select
┌────────────────┐                       ┌───────────────┐                       ┌─────────────────┐
│                │                       │               │                       │                 │
│ Servers        │.2 192.168.252.0/24  .1│ OPNsense      │.1 192.168.251.0/24  .2│ MikroTik (IoT)  │
│ 172.16.32.0/24 ├───────────────────────┤ 172.16.8.0/24 ├───────────────────────┤ 172.16.64.0/24  │
│                │wg0    Wireguard    wg0│               │wg1    Wireguard    wg0│                 │
└───────┬────────┘                       └───────┬───────┘                       └────────┬────────┘
        │                                        │                                        │
        │                                        │                                        │
        │                                        │                                        │
        │                                        │                                        │
xxxxxxxxxxxxxxxx                           xxxxxxxxxxxx                            xxxxxxxxxxxxxx
x              x                           x          x                            x            x
x Internet     x                           x Internet x                            x Internet   x
x (Datacenter) x                           x (Fibre)  x                            x (Cellular) x
x              x                           x          x                            x            x
xxxxxxxxxxxxxxxx                           xxxxxxxxxxxx                            xxxxxxxxxxxxxx


Currently, the two tunnels can reach the allowed subnets of its endpoint. e.g. ("OPNSense" can reach 172.16.64.0/24 and 172.16.32/0).

What I like to achieve is, that "MikroTik" can reach the subnet of "172.16.32.0/24".
Therefore, I configured on "MikroTik" AllowedIPs: 192.168.251.1/32,172.16.8.0/24,172.16.32.0/24.

But I'm unable to ping or reach anything on "Servers". On the "OPNsense" I don't see any blocked traffic. But I see that the traffic was forwarded or at least passed (screenshot).
Could the route back be the issue? Where and what has to be added (routing table on "Servers" or additional AlloedIPs on "Servers"?

Thank you and have nice Sunday
Cheers Danny
December 10, 2023, 10:34:12 PM #1
You have to do the same on "Servers": Add 172.16.64.0/24 to the allowed IPs there.
Also, make sure your firewall rules allow these connections.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 25, 2024, 01:43:16 PM #2
Why don't you just create one Wireguard network, with two Peers:
On Servers, the peers will be OPNSense and Mikrotik,
On OPNSense, the peers will be Servers and Mikrotik,
On Mikrotik, the peers will be OPNSense and Servers

That way everyone can talk to each other over the same WG network.

Print
Go Up Pages1
User actions