[SOLVED] Wireguard Site2Site not working

[DrZoidberg]

Hi there,

I want to connect two home networks via Wireguard with the setup like so:

Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
WG-Tunnel: 10.0.0.0/24

The Wireguard connection itself is working. I can reach the full network of Site A from Site B, I can ping/traceroute from Site A to Site B.

However, I cannot reach any service within Site B from Site A.

If I observe the live firewall log I see the following:

192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.

The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.

Do you have any clues where I can start looking for a solution?

Thank you so much!

[Bob.Dig]

The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.

Do you have any clues where I can start looking for a solution?

Show your rules here?

[DrZoidberg]

Here you find the rules for the wg interface and floating rules. I tried one or the other are both at the same time. No luck.

The strange part is that traffic from Site B is coming in, but only if is originated there or if it is ICMP.

[Bob.Dig]

Your not showing the floating rues, why do you have those anyway? Also it is unclear where we are on those caps. Has your tunnel its own interface?

[Maurice]

If I observe the live firewall log I see the following:

192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.

Firewall log of which site? Which interface is 10.0.0.5? Do you NAT traffic going through the tunnel on either site?
-v

[DrZoidberg]

The snapshot with two rules is floating rules. I actually tried it just because I have no idea how to proceed. Usually, the one rule from the wg device letting all traffic should be sufficient according to all tutorials. And yes, there is a dedicated wg device assigned.

The firewall log is from the OPNSense side which also runs the WG server. The client side is a router (Fritzbox) with a wg client.

On the router side (Site B) there is no specific options for nat, but I would as it is a router it would do it like it should.

On the OPNSense side I tried with and without outbound nat, but it doesnt really change anything. Still the incoming traffic on 10.0.0.0/24 is blocked.

[Maurice]

You shouldn't use NAT for this use case at all. If site B performs outbound NAT, firewall states at site A will break. (Site A sends a packet to destination address 192.168.2.222, but the reply has source address 10.0.0.5.)

So make sure NAT is disabled at site B.

[DrZoidberg]

You are right, I just checked it, the router at Site B has NAT always activated and it is not possible to change this.

Now my question: what are the options?

1.) If I use outbound NAT at the OPNSense they should communicate only in the 10.0.0.0/24 space? e.g. 10.0.0.1 as OPNSense to 10.0.0.5 as Fritzbox. What I see there is: 192.168.1.111 wants to reach 192.168.2.222, then NAT hits and translates it to 10.0.0.1 to 10.0.0.5, but 10.0.0.5 calls back still to 192.168.1.111 - But why? Is there a way to change it?

2.) Any other reasonable option?

[DrZoidberg]

With Outbound NAT it looks like this (192.168.178.x is what I called for simplicity 192.168.1.x):

Why is traffic 10.0.0.5 to 10.0.0.1 blocked? I really don't get it with the rules I have shown that all traffic on the wg interface is allowed in...

[Maurice]

Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/

It seems unlikely that they perform NAT for S2S, if correctly set up.

[Bob.Dig]

(192.168.178.x is what I called for simplicity 192.168.1.x):

Bad idea to begin with...

[DrZoidberg]

Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/

It seems unlikely that they perform NAT for S2S, if correctly set up.

Unfortunately, it seems to do it and AVM thinks that this is right:

https://www.fritzbox-info.com/forum/viewthread.php?thread_id=405

[DrZoidberg]

(192.168.178.x is what I called for simplicity 192.168.1.x):

Bad idea to begin with...

What exactly do you mean?

[Maurice]

AVM explicitly says not to use a dedicated transfer network for S2S, but you did (10.0.0.0/24). I'm not sure why they have this restriction, but would suggest doing it their way first and see if that works.

Outbound NAT for bi-directional S2S makes no sense at all.

[DrZoidberg]

Now I understand what they mean. Thanks a lot!

I dont have access to the Fritzbox right now, but will try asap.