Navigate the wireguard subnet

Started by mauro, April 09, 2024, 01:38:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 09, 2024, 01:38:54 PM
Dear all,
I got stuck somewhere with Wireguard and can't get my head around.

I've installed wireguard and set up an instance which I can reach and connect to. I can ping the WG server with no problem

At the moment I can't connect to the other machines connected to the same WG instance. If I try to ping the IPs all packets are lost. every PC can instead ping the server and revers.

I followed the official OPNSense tutorial but still no clue about why this is happening

Does anyone have sone leads to follow?

thanks
April 09, 2024, 01:48:45 PM #1
For a hub and spoke topology and e.g. a /24 for the tunnel network:

* on the hub/central instance configure e.g. 192.168.100.1/24 as the tunnel address
* on the spokes/clients configure e.g. 192.168.100.2/32, 192.168.100.3/32, etc. as the respective tunnel addresses
* on the hub place e.g. 192.168.100.2/32 in AllowIPs for the first client, 192.168.100.3/32 for the second, etc.
* on the clients place 192.168.100.0/24 in AllowedIPs

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 10, 2024, 12:07:30 AM #2 Last Edit: April 10, 2024, 12:11:05 AM by mauro
thanks Patrick for your prompt reply.

I think I have the settings correct as far as I can connect to the server and ping it with no problem. By all mean, I list below briefly my configuration but unfortunately I don't know where the proper config files are stored

Server side
Instance setting
Code Select

Name: wg1
public and private key self generated
Port: 51820
tunnel address: 192.168.2.1/24
Peers: list of peer I allow to connect to this instance


Peer setting (one for all)
Code Select

name: wg1_peer1
public key: as generated by the client
allowerIPs: 192.168.2.100/32 (the other peers have different IPs but same subnet)
endpoint address: blank
Endpoint port: blank
Instance: wg1


Local config file (wg1_peer1):
Code Select

[Interface]
PrivateKey = XXXXXXXX
Address = 192.168.2.100/32


[Peer]
PublicKey = YYYYYYYY
AllowedIPs = 192.168.2.0/24
Endpoint = example.domain:51820


my doubt now about this issue is a forwarding problem. I have also an openvpn server set up and I can surf the openvpn net but obviously on different IPs. Is there anything I might need to specify to wireguard instance?

Regarding firewall rule, there is only one under the wg1 instance which allow everything from everyere

Cheers
April 15, 2024, 01:17:07 PM #3
Hi there,

still working on it and further helps are welcome

After checking around I thoungt that assigning IP as X.X.X.X/32 to peers will cause the issue.

I changed all confs but it seams nothing has reall changed so I was possibly wrong.

Thanks for helping
April 15, 2024, 03:21:45 PM #4
You only have the tunnel net in the "Allowed IP" section of the config. If you add the remote net(s) you will be able to reach them via WG.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions