WireGuard from OPNsense to FritzBox only works one way?

[SoWhy]

Okay, this is a bit much to write down, so I will try to make this brief but I cannot figure out the problem...

I have WireGuard running on my OPN install (24.1.1) with a couple of peers configured and it works as expected.

The WG instance has a tunnel address of 10.10.123.1/24. My regular network behind the tunnel is 10.10.10.0/24 and the OPN is 10.10.10.1/32. The peers have "Allowed IPs" like 10.10.123.101/32, 10.10.123.102/32 etc.

I set up a connection to my FritzBox in my other network (192.168.100.0/24) using a config file and set the "Remote Network" to be 10.10.0.0/16 in the FritzBox. The peer on my OPN has "Allowed IPs" 10.10.123.2/32, 10.10.0.0/16 and 192.168.0.0/16. The connection is established successfully according to both the FB and OPN.

Here is the problem:

When I am in the 10.10.10.0/24 network, I can reach any device in the 192.168.100.0/24 without problems, e.g.

Code Select Expand

tracert 192.168.100.236
Tracing route to XXX [192.168.100.236] over a maximum of 30 hops:
1    17 ms    14 ms    13 ms  10.10.123.1
2    52 ms    51 ms    47 ms  192.168.100.1
3    52 ms    55 ms    56 ms  XXX [192.168.100.236]

However, when I'm in the 192.168.100.0/24 network, I cannot reach any device after the OPN, e.g.

Code Select Expand

tracert 10.10.10.1
Tracing route to 10.10.10.1 over a maximum of 30 hops
1    30 ms    30 ms    30 ms  fritz.box [192.168.100.1]
2    68 ms    67 ms    68 ms  10.10.10.1

works as expected (10.10.10.1 being the OPN) but

Code Select Expand

tracert 10.10.10.5
Tracing route to 10.10.10.5 over a maximum of 30 hops
1    30 ms    30 ms    32 ms  fritz.box [192.168.100.1]
2    74 ms    75 ms    67 ms  10.10.123.1
3     *        *        *     Request timed out.

will lead to time outs.

I already tried deactivating the packet filter on the OPN to see if it's a firewall problem but the firewall already shows these connections as "pass", e.g.

WG   2024-02-18T19:39:32   192.168.100.125:65038   10.10.10.5:53   udp

I tried searching but I could not find anything (although I admit I have no idea what exactly to search for).

Can anyone help me figure this out?

TIA

SoWhy

PS: My previous setup was two FritzBoxes connected through WireGuard with the same subnets and that worked but I wanted to replace one of them with the OPN box

[Monviech (Cedrik)]

I remembered helping someone with Wireguard from Fritzbox to Opnsense before.

Here's the thread, maybe it helps you too:
https://forum.opnsense.org/index.php?topic=36273

[SoWhy]

So basically the problem is that FritzBox cannot use a transfer net and instead needs to use an IP in my local subnet, e.g. 10.10.10.123/32 instead of 10.10.100.2/32?  ???

[Monviech (Cedrik)]

If I remember right you can also leave the tunnel address empty.

So leave it empty in instances. And in the peer, add the whole network of the fritzbox as allowed IPs. That should do the trick.

Here is the thread that explains it (german): https://forum.opnsense.org/index.php?topic=36503.msg178249#msg178249

[Patrick M. Hausen]

Yes, WG interfaces/instance are point to point, so no transfer network is needed.