Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard Site-to-Site + Selective routing is buggy!
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard Site-to-Site + Selective routing is buggy! (Read 1127 times)
bbx8
Newbie
Posts: 3
Karma: 0
Wireguard Site-to-Site + Selective routing is buggy!
«
on:
April 12, 2023, 12:05:10 am »
I have a working Site-to-Site wireguard setup and I want to be able to selectively route certain hosts from site A to reach the internet through the WAN from site B.
Site A: Network 192.168.1.0/24, Wireguard Tunnel IP 10.10.10.1
Site B: Network 192.168.2.0/24, Wireguard Tunnel IP 10.10.10.2
I used the wiki's Selective Routing Wireguard guide as a base and changed the following from the site-to-site setup.
On Site A router, VPN->Wireguard. Changed the Allowed-IPs on the on the endpoint to 0.0.0.0/0
On Site A router, VPN->Wireguard -> Local. Disable routes and add IP 10.10.10.11 as gateway
On Site A router, System->Gateway->Single. Add Wireguard Gateway, Far Gateway, IP 10.10.10.11, Monitor 10.10.10.2
On Site A router, System->Routes->Config. Add route to 192.168.2.0/24 through new Wireguard Gateway
On Site A router, Firewall->Alias. Add alias of hosts I want to route
On Site A router, Firewall->Rules->Lan. Any alias source to a non-RFC1918 address uses Wireguard Gateway (rule placed at top of rule list)
On Site B router, Firewall->NAT->Outbound. Add Manual Rule, source 192.168.1.0/24, any destination, NAT to WAN address. Also set hybrid rules for outbound.
After I do that all hosts on Site A can reach Site B hosts, and the aliased Site A hosts have their public IP show to be Site B's WAN address on the check my IP websites.
THE PROBLEM
Not every website works well. some sites run smoothly, some sites like Reddit occasionally timeout. The site paramountplus alway gives an Err_Timed_out error. The Hulu login button after inputting username and password alway gives a network error. So this setup kinda works, but many sites don't really work well.
My first thought was this was an MTU issue, but I dropped the MTU all the way to 900 and it still acts exactly the same (WAN on site A uses PPPOE fiber so MTU shouldn't need to be smaller than 1412). So it doesn't seem to be an MTU problem.
If I connect my laptop as a road warrior setup directly to Site B with allowed-ips 0.0.0.0/0 then all the problems go away. So Wireguard can work, but for some reason there is something in my Site-to-Site + Selective routing setup that is causing buggy behavior with certain sites. I was wondering if anything seems wrong with my setup.
Logged
zan
Full Member
Posts: 175
Karma: 31
Re: Wireguard Site-to-Site + Selective routing is buggy!
«
Reply #1 on:
April 12, 2023, 03:19:49 am »
Setting MTU alone is not enough you need to set the MSS too to work with TLS traffic.
Try setting the MSS to match your WG iface MTU, eg : 1412 or lower for both MTU and MSS.
Logged
bbx8
Newbie
Posts: 3
Karma: 0
Re: Wireguard Site-to-Site + Selective routing is buggy!
«
Reply #2 on:
April 12, 2023, 05:43:47 pm »
Correct. MSS clamping fixed the problem. Thanks.
Logged
metacyx
Newbie
Posts: 3
Karma: 0
Re: Wireguard Site-to-Site + Selective routing is buggy!
«
Reply #3 on:
April 13, 2023, 05:30:42 pm »
Quote from: bbx8 on April 12, 2023, 05:43:47 pm
Correct. MSS clamping fixed the problem. Thanks.
Thank you so much for sharing, it solved a problem that has been bothering me for months
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard Site-to-Site + Selective routing is buggy!