Wireguard Site to Site, Peer sees Lan but Lan can't see Peer

Started by RSpin, February 12, 2023, 03:04:54 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 12, 2023, 03:04:54 AM
Trying to set up a Wireguard Site to Site setup between my Proxmox Server running an Opnsense VM and a raspberry pi at another location.  Followed all the tutorials (I think) and I am close.  I get a handshake and I can ping the Wireguard interfaces in both directions.  From the raspberry pi I can also ping all the addresses on my OPNsense Lan.  I cannot ping any IP addresses on the Raspberri pi except the Wireguard interface.  UFW is not running on the Pi.  The Pi is connected to a Verizon Fios Router port forward on for 58020 to the PI.  I have setup Wireguard connection to this Pi in the past and was able to access other devices on the network so I don't think there is anything going on at that end but willing to entertain ideas.

Opnsense set up

LAN network 10.10.0.1

Wireguard Local
Listen Port: 58020
Tunnel Address: 10.20.20.1

Endpoints
AllowedIps: 10.20.20.2/32, 192.168.1.0/24
Endpoint address and Port set to WAN address of Pi and port 58020

Raspberri Pi setup

Lan:  192.168.0.1

wg0.conf
[Interface]
PrivateKey = ???????????????
ListenPort = 58020
Address = 10.20.20.2/32

[Peer]
PublicKey = ??????????????????????????????
AllowedIPs = 10.20.20.1/32,10.10.0.0/24,10.10.20.0/24
Endpoint = #############:58020
PersistentKeepAlive = 21

I have a wide open firewall rule set on the OPNsense WG interface.

The only thing that I have noticed that might be off is when I set up the Wireguard Interface it set up as wg1 instead of wg0.  I do not have a wg0 so that seemed weird to me.

I am one of those follow the tutorial/youTube vidio guys who can follow directions but have only a passing knowledge of why anything works.  I am new to OPNsense and am just at a loss as to how to trouble shoot this.  Makes no sense to me that I can ping the wireguard interface but not any devices on the PI's network given I am pretty sure I have the allowed ip setting correct.  As I said, I have accomplished this with my old Ubuntu server so I feel like it should work. 

Thanks for any ideas.







February 12, 2023, 08:59:50 AM #1
You say the Pi LAN is x.x.0.1 but allowed IPs on the endpoint on OPNsense says x.x.1.0. Typo or misconfiguration?
February 12, 2023, 08:46:47 PM #2
Thanks for reply

The Lan is 192.168.1.0, the router is 192168.1.1
February 12, 2023, 10:52:29 PM #3
Address = 10.20.20.2/32

[Peer]
PublicKey = ??????????????????????????????
AllowedIPs = 10.20.20.1/32,10.10.0.0/24,10.10.20.0/24
February 12, 2023, 11:26:15 PM #4
The 10.10.20.0 is a VLAN on the OPNSense machine, which I can connect to from the Pi over the Wireguard connection. 

The 10.20.20.1 & 2 are the Wireguard interface IPs at either end.
February 12, 2023, 11:36:44 PM #5
Is the PI the default gateway on it's end?

I would do some packet captures to see where the replies are going.
February 14, 2023, 03:58:44 AM #6
The LAN gateway is on on a Verizon Fios Router.  The Pi's only reason to exist is this Wireguard Tunnel.  The Pi is plugged directly into the Fios Router so no wifi etc.  I have a HDHR Prime that is also plugged into the same Router. That is acutally what I want to pass through the tunnel.

Had this working perfectly for a long time but I got greedy I guess and am upgrading my setup at home to  make use of opnsense.  Had just an Ubuntu server with a wireguard connection to the Pi,  Now I'm trying to graduate to Proxmox and OPNsense.  Thought this would be the easy part. :-\
February 14, 2023, 11:28:14 AM #7
Have you done a packet capture on the Pi to see what is happening to the incoming packets? Do you have static routes on your router on the Pi end so that network knows to send packets destined for the network on the other side via the Pi?
February 14, 2023, 12:36:54 PM #8
Quote from: RSpin on February 14, 2023, 03:58:44 AM
The LAN gateway is on on a Verizon Fios Router.  The Pi's only reason to exist is this Wireguard Tunnel.  The Pi is plugged directly into the Fios Router so no wifi etc.  I have a HDHR Prime that is also plugged into the same Router. That is acutally what I want to pass through the tunnel.

Had this working perfectly for a long time but I got greedy I guess and am upgrading my setup at home to  make use of opnsense.  Had just an Ubuntu server with a wireguard connection to the Pi,  Now I'm trying to graduate to Proxmox and OPNsense.  Thought this would be the easy part. :-\

What is the gateway set to on the Pi?
February 14, 2023, 10:51:26 PM #9
Forgive me, I'm not exactly sure what you mean.  I am pretty sure the LAN gateway is on the router and is 192.168.1.1.  The IP of the Pi is 192.168.1.117.   

Thank you by the way for trying to assist.
February 14, 2023, 10:53:45 PM #10
I will have do some research on how to do a packet search.  Never had to so that before.  I'll see what I can figure out.
February 14, 2023, 10:57:27 PM #11
With regard to the static routes.  Is there a way to check to see if I already have some static routes.  I set up that Ubuntu server like 3 years ago so I honestly don't remember if I set something up on the pi then or not.  I most definately have not set up any static routes in the course of trying to get this set up running.  Not of the how to's or youtubes I read mentioned the need to do that.
February 15, 2023, 01:18:34 AM #12
How did you setup the vpn server on the Pi? PiVPN maybe?
You need to check what the gateway is set to in it. Depending on what you used for the vpn and what OS you're running on the Pi, the commands will be different. So once you determine what was used, figure out what the IP settings on the Pi are. You say the Pi is 192.168.1.117 and the router is .1 so the Pi's gateway should be set to .1.
Verify it is.
February 15, 2023, 02:17:24 AM #13
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian


I double checked in the add/remove software and I have wireguard installed not pivpn. Not familiar with what that is.

pi@raspberrypi:~ $ netstat -r -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
10.10.0.0       0.0.0.0         255.255.255.0   U         0 0          0 wg0
10.10.20.0      0.0.0.0         255.255.255.0   U         0 0          0 wg0
10.20.20.1      0.0.0.0         255.255.255.255 UH        0 0          0 wg0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 vethec925a4
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-a2ee912178f5
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth0

I hope this is what you are looking for?  Looks like the wireguard tunnel wg0 is using gateway 0.0.0.0.  Should it be 192.168.1.1?  Not sure how I fix that though.
February 15, 2023, 02:22:50 AM #14
I don't think this is relevant but I am not trying to use this WG connection to allow either Site to use the others internet.  That should be done locally only.  Hope I said that right.
Print
Go Up Pages1 2
User actions