WireGuard Site to Site

[BrownCow]

First off, I understand that I might be doing this all wrong but I've tried to get myself as far as I can before asking for help.

I want to implement WireGuard in a site to site configuration and since I'm learning, I've decided to put it into OpnSense first. Later I might install it bare metal.

Both setups are ISP Modem -> Asus Router. I still want to use both Asus routers for everything they currently do. As such I only want OpnSense to run WireGuard and nothing more.

I followed this guide up until Step 3. https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
 
Both instances of WireGuard initiate and stay that way so it appears I have done something right. Neither have WAN interfaces but both can ping the internet through the existing LAN. I can't ping from one network to the other. I do have an existing OpenVPN server running on one site and can log into it from the other. (Should I stop the OpenVPN server?) Both networks are using the same DHCP range but their servers assign to different subsets.

Running WireGuard from terminal produces:

• rm -f /var/run/wireguard/wg0.sock
• resolvconf -d wg0
• wireguard-go wg0

INFO: (wg0) 2020/12/14 06:53:51 Starting wireguard-go version 0.0.20201118

• wg setconf wg0 /tmp/tmp.vHeA3nWe/sh-np.Idyy4J
• ifconfig wg0 inet 192.168.5.1/24 192.168.5.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• resolvconf -a wg0 -x
• route -q -n add -inet 192.168.5.2/32 -interface wg0
• route -q -n add -inet 192.168.1.0/32 -interface wg0
• Backgrounding route monitor

and

• rm -f /var/run/wireguard/wg0.sock
• resolvconf -d wg0
• wireguard-go wg0

INFO: (wg0) 2020/12/14 06:57:15 Starting wireguard-go version 0.0.20201118

• wg setconf wg0 /tmp/tmp.fKJLL0pk/sh-np.2X3j2S
• ifconfig wg0 inet 192.168.5.2/24 192.168.5.2 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• resolvconf -a wg0 -x
• route -q -n add -inet 192.168.5.1/32 -interface wg0
• route -q -n add -inet 192.168.1.0/32 -interface wg0
• Backgrounding route monitor

The config files are:

[Interface]
Address = 192.168.5.1/24
DNS = 192.168.1.250
ListenPort = 51820
PrivateKey = {randomstring}=
[Peer]
PublicKey = {randomstring}=
AllowedIPs = 192.168.1.0,192.168.5.2
Endpoint = {correctWANip}:51820

and

[Interface]
Address = 192.168.5.2/24
DNS = 192.168.1.240
ListenPort = 51820
PrivateKey = {randomstring}=
[Peer]
PublicKey = {randomstring}=
AllowedIPs = 192.168.5.1,192.168.1.0
Endpoint = {correctWANip}:51820

All keys end in an equals sign. (is that correct?)

Both state in VPN -> WireGuard -> Handshakes = 0.

I haven't added any routes or anything to the firewall as WireGuard isn't using a Wan interface (I understand this could be the problem).

Like I said, I'm new to this so understand I might have a fundamental problem that I can't see.

[Greelan]

Try changing the AllowedIPs to CIDR notation, eg 192.168.5.1/32

[BrownCow]

Thanks. I just tried that but I'm still not getting a handshake and still can't ping from one vm to the other.

[Greelan]

Quite possibly a routing issue as you have guessed. I haven't implemented WG on a host behind my firewall, only on the OPNsense firewall itself, so haven't got any immediate ideas for your scenario

[BrownCow]

Thanks. I'll keep plugging away and hopefully someone might have an idea.

[Greelan]

Have you thought about port forwarding on your router? Incoming requests on the WG port need to be directed to the WG host

[BrownCow]

On both routers I have forwarded port 51820 from all addresses to the relevant VM.

I also turned off the firewalls on both routers (temporarily) but that didn't help either.