[Solved] Router not listening on second WireGuard-interface

Started by Riktastic, October 26, 2023, 10:44:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 26, 2023, 10:44:55 AM Last Edit: October 27, 2023, 08:53:46 AM by Riktastic
Hi there everyone,

I've followed the "WireGuard Road Warrior Setup" (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) twice. Once for a peer (WG1) from which clients are only able to connect to a "virtual network" and once for a peer (WG2) from which clients are able to access  the LAN-network.

Clients connected to the "virtual network" are able to ping the router just fine and make use of its DNS server, even routing works if I allow clients to access other networks.
Clients connected to WG2 are able to ping each other but can't ping the router, nor can they use its routing and DNS server (which I have allowed on that particular interface).

I'm pretty sure that the firewall rules and NAT rules are almost exactly the same. Both include access to the network and the address on which the router should listen. The only difference is ofcourse the allowcance of accessing its own network and WG2 can also access the LAN-network.

- Is my setup even possible?
- What could be a configuration option that blocks clients from WG2 to access the router?

PS: Clients are succesfully connected. The clients from WG1 are the same as the ones from WG2.


Kind regards,

Riktastic
October 26, 2023, 11:45:53 AM #1 Last Edit: October 26, 2023, 11:50:42 AM by Monviech
Did you put the LAN network into the allowed IPs in each client, additionally to the wireguard network?

So for example if your wireguard network is 10.4.4.0/24, and your LAN is 192.168.1.0/24, the allowed IPs on the clients should be 10.4.4.0/24 192.168.1.0/24

Also make sure to use a unique port per instance. If instance wg1 is 51820, instance wg2 should be 51821 etc...

- Yes your setup is possible, you can have multiple wg instances with different settings attached to them. I'm not sure about sharing peer configurations between them though, I have always created unique peers because things like "allowed IPs" change when you have multiple instances, and the routing in the firewall depends on this uniqueness.
Hardware:
DEC740
October 27, 2023, 08:53:09 AM #2
Quote from: Monviech on October 26, 2023, 11:45:53 AM
Did you put the LAN network into the allowed IPs in each client, additionally to the wireguard network?

So for example if your wireguard network is 10.4.4.0/24, and your LAN is 192.168.1.0/24, the allowed IPs on the clients should be 10.4.4.0/24 192.168.1.0/24

Also make sure to use a unique port per instance. If instance wg1 is 51820, instance wg2 should be 51821 etc...

- Yes your setup is possible, you can have multiple wg instances with different settings attached to them. I'm not sure about sharing peer configurations between them though, I have always created unique peers because things like "allowed IPs" change when you have multiple instances, and the routing in the firewall depends on this uniqueness.


Wow, it was that simple. I've copied al client configurations, coupled the copies to my second peer (WG2), adjusted the "allowed IP adresses" (can't remember the exact name of the field), just to be sure resetted the PSK and changed the keys. Now it works :).

Thanks a lot!
Print
Go Up Pages1
User actions