WireGuard VPN Site-to-Site question

[spider]

Dear all,

I have a problem setting up a site to site connection using WireGuard. After following the instructions in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html the following configuration has been generated:

# site1 /usr/local/etc/wireguard/wg0.conf ip subnet 10.1.1.1/24

Code: [Select]

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey1>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32

# site2 /usr/local/etc/wireguard/wg0.conf ip subnet 10.2.1.1/24

Code: [Select]

[Interface]
Address = 10.10.0.2/24
ListenPort = 51820
PrivateKey = <PrivateKey2>
[Peer]
PublicKey = <PublicKey1>
AllowedIPs = 10.10.0.2/32,10.1.1.0/24
Endpoint = <VPN Address of Site1>:51820
PersistentKeepalive = 60

The firewall rule for port 51820 has been added.

From the opnsense box at site2 (10.2.1.1) it is possible to ping the following addresses 10.10.0.2, 10.10.0.1, 10.1.1.1 (LAN address of opnsense on site1 and 10.1.1.2 (a host on the LAN).

From a workstation 10.2.1.2 it is possible to ping 10.10.0.2, 10.10.0.1 but not possible to ping 10.1.1.1 or 10.1.1.2

I'm sure that I'm making basic mistake but cannot figure out how to fix it, can someone help so that it is possible to reach the hosts behind the opnsense box at site1?

Thank you

[spider]

The cause is that packets from workstation at 10.2.1.2 to 10.1.1.1 are going out via the WAN interface instead of through the WireGuard tunnel.

On the OPNsense firewall the packet go correctly through the WireGuard tunnel.

Do you know how to configure the routing so that LAN hosts go through the WireGuard interface? What I tried hasn't worked.

Thanks.

[mimugmail]

Do you use multiwan or loadbalancing or any kind of gateway rules?

[spider]

Do you use multiwan or loadbalancing or any kind of gateway rules?

Both sides have a single gateway on the WAN interface. The Office side has gateways on OpenVPN client interfaces.

Installing a gateway on the WireGuard interfaces does not work and adding a route through that interface breaks the WireGuard VPN tunnel.

[mimugmail]

Why does the gateway not work?

[spider]

Why does the gateway not work?

Why do I think it is not working, because it says the gateway is offline and 100% packet loss.

The gateway is configure is:
interface=WG
IP address=10.10.0.2
Disable Gateway Monitoring=false
Monitor IP =10.10.0.1

The 10.10.0.2 opnsense host can ping 10.10.0.2 and 10.10.0.1

I would say this means it is not working.

Thanks for your help.

[mimugmail]

What happens when you disable Monitoring, does it work?

[spider]

What happens when you disable Monitoring, does it work?

With monitoring enabled the routing table says:

Code: [Select]

Destination        Gateway            Flags     Netif Expire
10.10.0.1          10.10.0.2          UGHS        wg0
10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0
With monitoring disabled or the gateway removed the routing table says

Code: [Select]

10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0

When the gateway exists with or without monitoring then the host 10.10.0.2 cannot ping hosts on the 10.1.1.0/24 network.
When the gateway is removed the hosts can be pinged again. The odd thing is that the routing table is the same with and without the gateway.

Is there another way to test if this is working?

Thanks again.

[spider]

The following is very similar to what I would like to achieve:
https://hbh7.com/2018/09/30/setting-up-a-wireguard-site-to-site-vpn-between-2-edgerouters/

This also looks the same for FreeBSD
https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/

[mimugmail]

Can you post wgX.conf without gateway of both please ...

[spider]

They were in the first post. I've removed the keys and external IPs. Is that what you wanted?

BTW RoadWarrior connection work like a dream.

Thanks

[mimugmail]

On Site1 I'm missing network of Site2 in any of the two peers?

[spider]

I had updated the configuration from the host1 the following but it didn't make any difference.

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32,10.2.1.1/24
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32

If it is possible to ping any of the hosts behind the opnsense box at site1 from the opnsense box at site2 (10.2.1.1) then the tunnel is working and the routing is also working.

What is strange is that from a host behind site2 it can ping both sides of the tunnel but cannot ping the hosts behind the opnsense box site 1.

Doesn't this mean that the routing is not working from the LAN to hosts at the other side of the tunnel. Shouldn't the route have a gateway bit set, similar to openvpn?

When I tcpdumped the network traffic it was going out through the WAN interface and not the WG interface. From the opnsense box the traffic was going though the WG interface.

Thanks again.

[mimugmail]

Can you Join IRC next week and we fix via Teamviewer?

[spider]

Yes that's no problem. What time and timezone? I'm CEST.