[Solved] Wireguard Site to Site - Allow traffic between sites ?

[nsteinmetz]

Hello,

I could set up a RoadWarrior connection and it works well. Trying now to setup a site to site connection. Connection works between endpoints but traffic is not allowed.

I followed this tutorials:
* https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
* https://www.procustodibus.com/blog/2020/12/wireguard-site-to-site-config/

In both cases, network is :

Internet <-> Modem <-> OpnSense <-> LAN/WLAN

Site A
- Modem : 192.168.1.10
- OpnSense : 10.250.0.1
- LAN : 10.250.0.1/24
- WLAN: 10.251.0.1.24
- WG0: 10.252.0.1/24 (RoadWarrior)
- WG1: 10.253.0.1/24 (site to site)

Site B :
- Modem : 192.168.1.1
- OpnSense : 192.168.7.1
- LAN : 192.168.7.1/24
- WLAN : 192.168.9.1/24
- WG0: 192.168.11.1/24 (RoadWarrior)
- WG1: 10.253.0.2/24 (site to site)

For WG configuration more precisely

On Site A

Local :
- Name AtoB
- Port 51821
- Tunnel: 10.253.0.1/24
- Peers: SiteB

Endpoint:
- Name: SiteB
- AllowedIP: 10.253.0.2/32  192.168.7.1/24 192.168.9.1/24
- endpoint: IP.OF.SITE.B
- port: 51821


On Site B

Local :
- Name BtoA
- Port 51821
- Tunnel: 10.253.0.2/24
- Peers: SiteA

Endpoint:
- Name: SiteA
- AllowedIP: 10.253.0.2/32 10.250.0.1/24 10.251.0.1/24 
- endpoint: IP.OF.SITE.1
- port: 51821

On both opnsense:
- I set WG1 as an interface so I have the automatic rules for Firewall > NAT > Outbound
- Firewall > WAN > set rule to accept connection on port 51821/UDP => this works as I see they are connected in VPN > Wireguard > List Configurations
- Firewall > WG1 > Accept all trafic on WG1 interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)

On firewall log, on site B, when from site A I ping or nmap a host on site B:
- it passes on Site A to site B (firewall log from opnsense on site A)
- it's denied on WG1 in site B (firewall log from opnsense on site A) - with label "Default deny rule"

So what's the next rule ot add ? It must be a LAN to WG1 kind of rule but don't know how to implement it  :(

Hope I provided enought details and if I can improve the docs once solved, I'll be happy to contribute to it.

[Greelan]

This may help: https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_Site-to-Site_configuration

I believe essentially you need a rule on the WG interface  that allows source traffic from the remote LAN subnet

[nsteinmetz]

Awesome Greelan, exactly what I needed !

It works like a charm  8)

I removed the useless rules:
- Firewall > LAN > Accept all trafic on LAN interface from WG1 net to LAN net (IN rule)
- Firewall > LAN > Accept all trafic on LAN interface from LAN net to WGI net (IN rule)

Thanks a lot !!

[Phil]

Hi Opnsense is new for me, I'm trying to do the same, first Roadwarrior and next step must be s2s.
I get Roadwarrior (Android) working it seems the internet traffic come in the smartphone by WireGuard.
1: But i can't get traffic to the lan, what i maked wrong?
2: I didn't understood what was the solution for your s2s?

3: on Android how have only lan traffic by WG and no internet traffic (I mean internet outside Wireguard)

Sorry for my bad english

Best regards