WireGuard VPN Site-to-Site question

Started by spider, June 26, 2020, 11:17:47 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 26, 2020, 11:17:47 AM
Dear all,

I have a problem setting up a site to site connection using WireGuard. After following the instructions in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html the following configuration has been generated:

# site1 /usr/local/etc/wireguard/wg0.conf ip subnet 10.1.1.1/24
Code Select

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey1>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32


# site2 /usr/local/etc/wireguard/wg0.conf ip subnet 10.2.1.1/24
Code Select

[Interface]
Address = 10.10.0.2/24
ListenPort = 51820
PrivateKey = <PrivateKey2>
[Peer]
PublicKey = <PublicKey1>
AllowedIPs = 10.10.0.2/32,10.1.1.0/24
Endpoint = <VPN Address of Site1>:51820
PersistentKeepalive = 60


The firewall rule for port 51820 has been added.

From the opnsense box at site2 (10.2.1.1) it is possible to ping the following addresses 10.10.0.2, 10.10.0.1, 10.1.1.1 (LAN address of opnsense on site1 and 10.1.1.2 (a host on the LAN).

From a workstation 10.2.1.2 it is possible to ping 10.10.0.2, 10.10.0.1 but not possible to ping 10.1.1.1 or 10.1.1.2

I'm sure that I'm making basic mistake but cannot figure out how to fix it, can someone help so that it is possible to reach the hosts behind the opnsense box at site1?

Thank you
June 30, 2020, 02:32:18 PM #1
The cause is that packets from workstation at 10.2.1.2 to 10.1.1.1 are going out via the WAN interface instead of through the WireGuard tunnel.

On the OPNsense firewall the packet go correctly through the WireGuard tunnel.

Do you know how to configure the routing so that LAN hosts go through the WireGuard interface? What I tried hasn't worked.

Thanks.
June 30, 2020, 03:29:49 PM #2
Do you use multiwan or loadbalancing or any kind of gateway rules?
July 01, 2020, 06:56:04 AM #3
QuoteDo you use multiwan or loadbalancing or any kind of gateway rules?

Both sides have a single gateway on the WAN interface. The Office side has gateways on OpenVPN client interfaces.

Installing a gateway on the WireGuard interfaces does not work and adding a route through that interface breaks the WireGuard VPN tunnel.
July 01, 2020, 09:24:35 AM #4
Why does the gateway not work?
July 01, 2020, 04:01:06 PM #5
Quote
Why does the gateway not work?

Why do I think it is not working, because it says the gateway is offline and 100% packet loss.

The gateway is configure is:
interface=WG
IP address=10.10.0.2
Disable Gateway Monitoring=false
Monitor IP =10.10.0.1

The 10.10.0.2 opnsense host can ping 10.10.0.2 and 10.10.0.1

I would say this means it is not working.

Thanks for your help.
July 01, 2020, 04:20:34 PM #6
What happens when you disable Monitoring, does it work?
July 01, 2020, 06:15:30 PM #7
QuoteWhat happens when you disable Monitoring, does it work?

With monitoring enabled the routing table says:
Code Select

Destination        Gateway            Flags     Netif Expire
10.10.0.1          10.10.0.2          UGHS        wg0
10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0

With monitoring disabled or the gateway removed the routing table says
Code Select

10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0


When the gateway exists with or without monitoring then the host 10.10.0.2 cannot ping hosts on the 10.1.1.0/24 network.
When the gateway is removed the hosts can be pinged again. The odd thing is that the routing table is the same with and without the gateway.

Is there another way to test if this is working?

Thanks again.
July 03, 2020, 12:02:12 PM #8
July 03, 2020, 02:27:22 PM #9
Can you post wgX.conf without gateway of both please ...
July 03, 2020, 03:55:35 PM #10
They were in the first post. I've removed the keys and external IPs. Is that what you wanted?

BTW RoadWarrior connection work like a dream.

Thanks
July 03, 2020, 04:34:02 PM #11
On Site1 I'm missing network of Site2 in any of the two peers?
July 03, 2020, 07:47:16 PM #12
I had updated the configuration from the host1 the following but it didn't make any difference.

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32,10.2.1.1/24
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32

If it is possible to ping any of the hosts behind the opnsense box at site1 from the opnsense box at site2 (10.2.1.1) then the tunnel is working and the routing is also working.

What is strange is that from a host behind site2 it can ping both sides of the tunnel but cannot ping the hosts behind the opnsense box site 1.

Doesn't this mean that the routing is not working from the LAN to hosts at the other side of the tunnel. Shouldn't the route have a gateway bit set, similar to openvpn?

When I tcpdumped the network traffic it was going out through the WAN interface and not the WG interface. From the opnsense box the traffic was going though the WG interface.

Thanks again.
July 03, 2020, 08:15:01 PM #13
Can you Join IRC next week and we fix via Teamviewer?
July 03, 2020, 11:09:17 PM #14
Yes that's no problem. What time and timezone? I'm CEST.
Print
Go Up Pages1 2
User actions