Wireguard with multiple Endpoints not working

Started by cds, January 15, 2023, 09:47:37 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 15, 2023, 11:30:16 PM #15
Quote from: Greelan on January 15, 2023, 11:24:57 PM
That's why I said "appears". We haven't been given the info on the subnets that have been otherwise configured on OPNsense. If 10.0.0.0/8 is just being used as a shorthand to pick up a bunch of otherwise unique subnets, then fine.

The real issue then is the allowed IPs that have configured in the OPNsense endpoint configs, as per my original comment.

Then you shouldn't have said "That won't work".  :)
January 15, 2023, 11:31:20 PM #16
So,
if I understand right:

peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds


should work (10.98.0.0/24 is only used for WG peers).

So far so good. Now I have a new effect:

10.98.0.11 can ping 10.11.1.1 (Endpoint of VPN), but not access it's Webpage.
If peer 2 is the only peer, and allowed ips: 10.0.0.0/8 is used this works.
Any hints?

January 15, 2023, 11:35:47 PM #17
Have you added firewall rules for WG on OPNsense?
January 15, 2023, 11:37:27 PM #18
Quote from: Demusman on January 15, 2023, 11:30:16 PM

Then you shouldn't have said "That won't work".  :)
This is really how you want to spend your time?
January 15, 2023, 11:44:27 PM #19
Yes, in and out everything allowed.

BTW, access to 10.1.1.0/24 works fine ...
January 15, 2023, 11:50:14 PM #20
What's the config on that peer itself?
January 16, 2023, 12:01:37 AM #21
Quote from: cds on January 15, 2023, 11:31:20 PM
So,
if I understand right:

peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds


should work (10.98.0.0/24 is only used for WG peers).

So far so good. Now I have a new effect:

10.98.0.11 can ping 10.11.1.1 (Endpoint of VPN), but not access it's Webpage.
If peer 2 is the only peer, and allowed ips: 10.0.0.0/8 is used this works.
Any hints?

You're still not allowing any of your subnets through the tunnel. You won't be able to access anything outside the tunnel.
January 16, 2023, 12:02:50 AM #22
Quote from: Greelan on January 15, 2023, 11:37:27 PM
Quote from: Demusman on January 15, 2023, 11:30:16 PM

Then you shouldn't have said "That won't work".  :)
This is really how you want to spend your time?

Just pointing out that you gave some misinformation and instead of you just admitting that, you make an excuse.
Am I wrong?
January 16, 2023, 12:44:43 AM #23
Quote from: Demusman on January 16, 2023, 12:02:50 AM
Am I wrong?
Yes.

If you want to talk about misinformation, your most recent post will cause confusion. The OP doesn't need to add the local networks to the allowed IPs in the endpoint configs on OPNsense. The OP does however need to add them to the peer allowed IPs on the peers themselves - so that the peers know that they access 10.0.0.0/8 at the OPNsense end via the tunnel. See my earlier comments. This is why I asked to see the WG configs on the peers themselves.
January 16, 2023, 12:50:31 AM #24
Ok. Have it your way.


peer: 1
  endpoint: 10.98.0.12:51820
  allowed ips: 10.98.0.12/32
   persistent keepalive: every 25 seconds

peer: 2
  endpoint: 10.98.0.11:51820
  allowed ips: 10.98.0.11/32
  persistent keepalive: every 25 seconds
January 16, 2023, 01:04:13 AM #25
BTW, OP, you don't need to specify an endpoint IP and port in the endpoint configs on OPNsense, if the peers are the ones initiating connections to OPNsense rather than the other way around.

If OPNsense is initiating connections to the peers, then you need to specify a public IP and port that they are accessible on, rather than the tunnel IP.
January 16, 2023, 01:19:59 AM #26
Good cleanup.
;D
Print
Go Up Pages 1 2
User actions