Wireguard site-to-site from OPNSense to other wireguard server

[Bytechanger]

Hi,

I want to connect my OPNSense-Wireguard as "vpn-client" to an other wireguard-server.
I´ve aleready read wireguard docu site to site, but it doesn´t work.

This ist my config file, on windows-wireguard-connector it runs perfectly
Now I want to connect with OPNSense to the server

Code: [Select]

[Interface]
ListenPort = 55522
PrivateKey = pv123
Address = 10.100.100.37/31

[Peer]
PublicKey = pub123
EndPoint = XX.XX.XX.XX:55522
AllowedIPs = 10.1.3.0/24
PersistentKeepalive = 10

I created at Local->Server:

Code: [Select]

Public Key    pub123 (Key from Config file)
Private Key   pv123   (Key from Config file)
ListenPort     55522
TunnelAddress 10.100.100.37/31
Peers              MyPeer

I created at Endpoints:

Code: [Select]

Name       MyPeer
PublicKey  pub123 (Key from Config file)
Allowed IPs 10.1.3.0/24
Endpoint Address  XX.XX.XX.XX:55522
Enpoint Port          55522
Keepalive 10

But it doesn´t work...

On Firewall I set Rule Wireguard pass all

Pls help.


Greets

Byte

[Gauss23]

Do you see any traffic on that connection?
Are there any handshakes in VPN: WireGuard in the tab Handshakes?

[Bytechanger]

Nope,

Handshakes:

Code: [Select]

wg1 pub123 0

List Configuration

Code: [Select]

interface: wg1
  public key: anohter pubkey!
  private key: (hidden)
  listening port: 55522

peer: pub123
  endpoint: XX.XX.XX.XX:55522
  allowed ips: 10.1.3.0/24
  transfer: 0 B received, 3.76 KiB sent
  persistent keepalive: every 10 seconds

All Howtos I saw was to set site2site to OPNSense and nothing got config to set on ONE OPNSense.
An Wireguard-Server I can´t set anything.

Greets

Byte

[Gauss23]

Did you enable the WireGuard service in the general tab?
Do you allow traffic on the WAN interface to the WireGuard port?

[Bytechanger]

Wireguard is enabled, I have a second wireguard server running on OPNSense as roadwarrior, this works fine.

And NO I don´t want allow Traffic over WAN to THIS wireguard, because it´s should be a wireguard client!

Traffic should go OUT over WAN to Wireguard-server and backwards it´s allowed by default (stateless firewall).
So when I start wireguard on my desktop-pc, I don´t have to open a WAN port to get a connection, it´s an outgoing connection.

OPNSense should connect AS CLIENT to the wireguard server on the other side!


Greets

Byte

[Bytechanger]

OK,
looking at the intern config of wireguard in OPNSense looks good:

Code: [Select]

sudo cat ls /usr/local/etc/wireguard/wg1.conf

[Interface]
Address = 10.100.100.37/31
ListenPort = 55522
PrivateKey = pv123

[Peer]
PublicKey = pub123
AllowedIPs = 0.1.3.0/24
Endpoint = XX.XX.XX.XX:55522
PersistentKeepalive = 10


[Gauss23]

You should see traffic leaving your OPNsense box then. Have a look in the Firewall: Log Files: Live View

There should be traffic towards the endpoint you defined. It should be covered by the "Let out anything from firewall host itself".

[chemlud]

Mildyl OT, but is "PersistentKeepalive = 10" the standard used by opnsense?

[dmmincrjr]

Make sure you don't have any other site to site VPN's enabled while trying to get this to work between the sites. I had an OpenVPN vpn between the two sites up while trying to get this to work and no traffic would pass through the Wireguard VPN. Once I disabled the OpenVPN vpn everything worked.