Wireguard site to site not working

[zer0k]

I have a very basic configuration and I'm just not seeing the remote OPNsense fw trying to initiate the connection
Remote wireguard clients on windows/macos can all connect just fine, so I know the central fw is listening and functional.

All FW's are running on ESXi 6.7 and are on OPNsense version 19.7.7-amd64 with os-wireguard 1.1 plugin

When I run tcpdump on my central fw I don't even see remote OPNsense/WG client trying to reach it, but I can test manually and can confirm there is end to end connectivity

Are there any known issues at this time?

[mimugmail]

No known issues ... need screenshots

[zer0k]

No known issues ... need screenshots

Hmm, something weird is going on then, and I'm not sure what I'm missing?

I am expecting the remote FW to at least try and make the connection, and that I would be able to see that running tcpdump on the central FW.
I have tried different ports, and different remote networks, etc. with no luck.
Firing up a client on windows or macos works instantly.

Screenshots aren't very exciting really...

Central FW:






Remote FW:

[mimugmail]

Why disable routes at endpoint?
Also bump port above 1024

[zer0k]

Why disable routes at endpoint?
Also bump port above 1024

Just been playing around with all sorts of settings and port numbers.
No matter what I do I never see a connection attempt at all with tcpdump

Perhaps this is an issue with opnsense/wireguard running on esxi 6.7u2?

I've tried opnsense firewalls at 2 different remote locations to rule out a location based issue.
Also, wireguard clients on macos/windows can connect perfectly from those locations

netstat shows the wg service listening on the ports I've assigned
tcpdump shows udp connections on that port if I scan it using nmap
tcpdump shows wireguard connections if I use a wireguard client
tcpdump never sees a connection attempt from the remote fw

wireguard command looks good to me from the cli

Code: [Select]

root@remoteFW:~ # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] wireguard-go wg0
INFO: (wg0) 2019/12/04 11:52:03 Starting wireguard-go version 0.0.20191012
[#] wg setconf wg0 /tmp/tmp.PhMa1gs5/sh-np.L1XuNv
[#] ifconfig wg0 inet 10.11.0.2/24 10.11.0.2 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.11.0.1/32 -interface wg0
[#] route -q -n add -inet 10.7.7.0/24 -interface wg0
[+] Backgrounding route monitor


[mimugmail]

So you should be able to ping 10.7.7.0/24 network via remoteFW ... can you check with tcpdump on wg0 if packets are going through the tunnel?

[zer0k]

So you should be able to ping 10.7.7.0/24 network via remoteFW ... can you check with tcpdump on wg0 if packets are going through the tunnel?

I'd love to ping something on the 10.7.x network, but the tunnel never comes up, so there is no way to ping through it.

I'm not actually seeing the remote fw ever make an attemp to connect to the central fw.
Once I get the tunnel up, I'm very familiar with opnsense rules/nat/gateways/pbr's etc.

[zer0k]

OK...finally worked it out

It seems if you want to get a site to site VPN working you need to enable keepalives.
If one side doesn't have that enabled they both just sit there and never try and make the connection.

It would be lovely if that was documented somewhere. haha

[mimugmail]

You only need them if one side is behind nat

[zer0k]

You only need them if one side is behind nat

It would be awesome if the OPNsense documentation mentioned that

[konus]

I had the very same issue after updating from 19.7.6 to 19.7.7. Befor it worked pretty well without keepalive set. After it did'nt work at all. Looking for a solution brought me to this thread. Enabling keepalive with 25 as show above does the job. This is maybe the reason why it's not documented, because it was not needed until now. So for existing installations this works for me. But I have another issue that on a newly installed 19.7.7 enabling the VPN is no longer leading to a section firewall:rules:wireguard wher the rules within the tunnel can be defined.