**Solved** wireguard is selectivily routing traffic

[swingline]

I have wireguard setup and I thought it was working correctly but I am having some routing issues with one of the subnets in AllowedIPs. The 172.28.0.0/24 is causing me issues as wireguard seems to only be routing some of the IPs but not all of the IPs in that VLAN. All of the IPs can be pinged from inside the local net.

Here is what peer configs look like

Code Select Expand

[Interface]
Address = 10.30.0.2/32
PrivateKey = blank

[Peer]
PublicKey = tyQSYEh1ik4CarV9GjCqdCIdscwVkiSghXNoRa+sRFo=
AllowedIPs = 10.30.0.0/24,172.28.0.0/24
Endpoint = {IP}:28363

I just have allow all rules on both the wireguard and the VLAN interfaces. No floating rules or anything like that.

Anyone know what might be causing the selective routing?

[Greelan]

I think you are confusing what AllowedIPs means. In your setup it means the IPs that can be accessed at the peer endpoint (and that are allowed to come from the peer endpoint). It doesn't mean what local IPs should use the tunnel

[swingline]

The peer configuration provided is for a road warrior split tunnel configuration. My understanding of the AllowedIPs is that I put the subnets that I want routed over the tunnel so that when the interface is brought up the route is added to the peers machine. Allowing that user to interact with the subnets on server side of the tunnel (opnsense).

The tunnel is working and routing the two specified subnets but only partiality on the 172.28.0.0/24 network so

ssh root@172.28.0.42 works
while
ssh root@172.28.0.14 times out

Not what is causing is issue. I should add that I have tried just sending everything with 0.0.0.0/0 with the same results with the same VLAN.

[Greelan]

OK, I thought you were showing the OPNsense config rather than the config on your device

Have you by any chance restricted the SSH config on the problem machine to only some source IPs?

Also post your firewall rules please

[swingline]

No worries

No restrictive ssh configs, ping offers the same results as ssh just hangs. Everything is reachable via local network.

VLAN
      Protocol    Source    Port    Destination    Port    Gateway    Schedule    
IN   IPv4 *    LAB net      *                *                      *               *                 *

WG
      Protocol    Source    Port    Destination    Port    Gateway    Schedule    
IN   IPv4 *    WG net      *                *                      *               *                 *

I have watched the firewall log when i initiate a ping I see icmp happen it appears to allow the traffic but its just hangs when attempting from multiple machines Linux and Windows both

[Greelan]

What are the Allowed IPs on the endpoint on OPNsense?

Perhaps show those configs too

I take it that you have assigned an interface to the WG device

[swingline]

Yes, I have assigned WG to an interface.

Each endpoint looks like this.

Name: Username
Public Key: pub key
shared secret: blank
Allowed IPs: 10.30.0.4/32 (user assigned IP)
Endpoint Address: Blank
Endpoint Port: Blank
Keepalive: 30

Each peer has been added to the local configuration which looks like this

Enabled: Checked
Name: WG
Public Key:  key
Private key: key
Port: 28363
Tunnel Address: 10.30.0.1/24
Peers: selected as required
Disable Routes: unchecked
Gateway: Blank

[Greelan]

Hmmm. My only suggestion is to remove 10.30.0.0/24 from the AllowedIPs on the client device

[swingline]

Thanks for the suggestion but it has the same results when I removed it.

[swingline]

So watching the firewall logs as I ping IP while connected to wireguard. I the first one fails but its on the WAN interface? The second one passes and its on the correct interface. Any insight as to why some of the subnet getting sent through WAN?  Thanks also it is changing the subnet the from the original request of 172.28.0.13 to 172.27.0.13.

[Greelan]

You've got some odd stuff happening in your network lol. If you are logging on the WG interface rules, you should see the ping come in on that interface and then going out the LAB interface. The WAN stuff must be related to some other misconfiguration in your network

[chemlud]

tagged and untagged traffic on same interface?

[swingline]

Well, after burning it all down three times, I figured out the issue was with the endpoints. Everything has been sorted out. Thanks for all the help; this was a really frustrating issue to have to deal with.

[Greelan]

Perhaps you can share what the issue was, if it could be of use to others?

[swingline]

Basically, I am in the middle of splitting two physical networks, the new one being managed by OPNsense. Both machines causing problems have two NICs, one for the old network and one for the new network. One NIC is Intel, and the other Realtek everything routes properly when on the local networks. Once I threw wiregurad into the mix, I started to see strange routing issues with those machines.

While moving cables around on the machines, I found that if the old network was plugged into the Intel NIC and the new network plugged into the Realtek network, I would see the problem. Reverse the cables, and I don't see the routing problem anymore. Whether I reboot the machines or bring the interfaces up in different orders, it just goes away.