Wireguard site-to-site setup only works on default WAN IP not VIP

[akron]

Hi guys,

Ive been trying to setup for a week or so wireguard site to site VPN without success. keep getting Handshake errors as bellow, tunnel comes up and peer can be seen but not pingable and no routing is possible

Handshake did not complete after 5 seconds, retrying (try 2)
Sending handshake initiation
Handshake did not complete after 5 seconds, retrying (try 2)

This is between 2 OPNsense boxes, second box, the client has no public access from the outside however it has full outbound internet traffic allowed.

Site A (Main Server) - Has public IP with WAN rule allowing port 51820

[Interface]
Address = 192.168.1.1/24
MTU = 1500
ListenPort = 51820
PrivateKey = XXXXXXXX/7pPnNLvm8I1evXgCoU2z733tzgxL+qve9GM=

[Peer]
PublicKey = XXXXXXXXaJmnOotn3NW1LIYOe60aqqKByp7oEfhltFc=
AllowedIPs = 192.168.1.2/32,10.0.40.0/24
PersistentKeepalive = 20


Site B (full open outbound internet only, no NAT or FW access)

[Interface]
Address = 192.168.1.2/24
MTU = 1500
ListenPort = 27836
PrivateKey = XXXXXXXX1UMOhNzm7cUQamH7MwHBNLs4Ot41mIQ1wlI=
[Peer]
PublicKey = XXXXXXXXuXrQftcGxJzd6DYLW+ovR2HoRnhg1ojykSo=
AllowedIPs = 192.168.1.1/32,172.16.69.0/24
Endpoint = 76.XX.XX.257:51820 (Site A IP and Port)
PersistentKeepalive = 20


List config

interface: wg0
  public key: XXXXXXXXuXrQftcGxJzd6DYLW+ovR2HoRnhg1ojykSo=
  private key: (hidden)
  listening port: 51820

peer: XXXXXXXXaJmnOotn3NW1LIYOe60aqqKByp7oEfhltFc=
  preshared key: (hidden)
  endpoint: 81.3.249.54:27836
  allowed ips: 10.0.40.0/24,192.168.1.2/32
  transfer: 46.68 KiB received, 42.32 KiB sent
  persistent keepalive: every 20 seconds

wg0   XXXXXaJmnOotn3NW1LIYOe60aqqKByp7oEfhltFc=   0

All I am trying to do is to route 172.16.69.0/24 to 10.0.40.0/24 and vice versa, this should be fairly simple.

OpenVPN works perfectly with those networks, however I wanted to take advantage of the wireguard so called "speed".

I have tried to regenerate the keys at both sides 100 times

any thoughts about what is wrong?

[chemlud]

I cannot check you IPs (srly 192.168.1.0/24 as the tunnel network?) and certificates, but I would remove the MTU.

Persistent keepalive not needed, as added automagically by OPNsense when configured via GUI. Preshared Key I would remove at this stage.

Have here wireguard up and running between 2x OPNsense. One site needs a firewall rule on WAN (51820 or 27836, chose one) for UDP. Then it should work imho.

PS: If you have the appropriate firewall rules on both Wireguard interfaces.

[akron]

Yes MTU setting is just out of desperation, this should by all means be the easiest VPN to setup up, hence makes no sense not working or pingign either the VPN peer or any subnet behind the tunnel.

as you can see the tunnel comes up and there is traffic listed but cannot ping anything.

Server side has a rule on WAN to allow UDP on the server port 51820 already, Client outbound is open hence the client connects to server and establishes the tunnel, this seems like a allow list problem or routing problem or even keys.

I don't know enough about wireguard to know where to go next.

[chemlud]

Do your LAN rules on both sides allow traffic to the respective remote LANs?

[akron]

Do your LAN rules on both sides allow traffic to the respective remote LANs?

Uploaded my complete config in screenshots

Server:

[akron]

Server

[akron]

Client:

[akron]

Do your LAN rules on both sides allow traffic to the respective remote LANs?

I haven't touch the LAN interface rules, I have several OpenVPN working with no rules on LAN, whenever I try to reach remote OpenVPN subnets from LAN it just works, I understand wireguard works different than OpenVPN so I might need those rules specifically allowing ?

I have a rule that says From LAN goes everywhere so should work by default

[Gauss23]

Do you see Routes in System: Routes: Status with the networks mentioned?

[akron]

Do you see Routes in System: Routes: Status with the networks mentioned?

yes on client I see the remote subnet and on server I see the client subnet

Also I have a any to any rule on the wireguard interface on both locations

[chemlud]

After turning off openVPN I wold do a reboot of the OPNsense before trying wireguard...

[akron]

Do you see Routes in System: Routes: Status with the networks mentioned?

I have tried windows client just to try to troubleshoot and when I try to connect it says handshake failed, waiting for retry, so not sure if this is a bug with keys or something else, the tunnel seems up and traffic listed as passing but no routing, unless I failed miserably  in one of the steps I should be able to ping remote subnets or at lest the remote peer IP itself

[Gauss23]

You should see handshakes.

Maybe try a tcpdump and see where the packets are going. Enable logging on the firewall rules that allow WireGuard traffic and have a look at the live view.

[akron]

After turning off openVPN I wold do a reboot of the OPNsense before trying wireguard...

I have rebooted both peers 20 times today...

this is my windows output

[Gauss23]

Handshake errors are not good. You should be able to connect with that client.
WAN has a rule to allow that traffic? Do you see anything in the live view? Enable logging on rules, that have something to do with your traffic.