[SOLVED] Wireguard Site2Site not working

[Maurice]

In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]

[DrZoidberg]

Thank you so much! AVM is sometimes really handy, but also pretty weird. I will let you know once I have access to the router. Problem is also that every change needs to be confirmed with a physical feedback from the user.

One side question if I may ask: Why isnt it possible to overrule the firewall an let traffic from 10.0.0.5 in? It may be not secure or advisable etc. but why is there no way to force allow it?

[Maurice]

You could allow it by creating stateless firewall rules. A "normal" stateful rule will fail because the address mismatch causes a state violation.

Whether your hosts accept replies from an address other than the address they sent the request to is a different question. In most cases probably not.

[DrZoidberg]

In case my previous post wasn't clear:

At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.

At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).

Good luck.

[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]

This setup considering the comment you made keeping the same interface address did it. Thank you!