routing wireguard traffic site-to-site behind OPNsense

[tl5k5]

Hello everybody!
I'm trying to configure a wireguard site-to-site setup with wg running on VMs behind OPNsense.
I'm running into issues with how to route properly in OPNsense.  (Routing is a weak point in my knowledge)
I'm using the following guide:  https://www.procustodibus.com/blog/2020/12/wireguard-site-to-site-config/#configure-routing
Can someone explain to me how to route this correctly...like I'm a 6yo?

Thank you!

[Patrick M. Hausen]

What do you mean by "route this correctly"? OPNsense is a router. If you set up the WG tunnel it will just do that. There's nothing more than getting the tunnel up in most (LAN to LAN) scenarios.

So what exactly is your problem?

[tl5k5]

"...with wg running on VMs behind OPNsense."

I need help setting the routes correctly in OPNsense when the wg peers are NAT'd behind OPNsense.
Did you look at the guide I provided the link to?
This is a "routing for 'service' on OPNsense" question...not how does wg work on OPNsense.

[Bob.Dig]

with wg running on VMs behind OPNsense.

So why don't you do the sane thing and use WG on OPNsense?

[tl5k5]

Because I'm not in control of all the firewalls being used for this need.
This is a "routing in OPNsense" for wg question, not a call for help on how to set up wg on OPNsense.

Sorry if I put this question in the wrong subgroup.

[Bob.Dig]

Setting routes in OPNsense is like everywhere else. In System: Routes: Configuration set a remote network, a gateway and your done.

[tl5k5]

I'm fuzzy on the Gateway if the route is via a local server's local IP hosting wg.

See the guide info below:

For the second thing, updating each site's routing tables, unfortunately you can't do via WireGuard config. You could configure each endpoint in both sites individually to route the traffic it generates destined for the other site through the WireGuard host in its own site — but the easiest thing to do is simply update the configuration of an existing gateway in each site to do that routing.

So for Site A, you want to update the gateway for the subnet that subsumes Site B's subnet (192.168.200.0/24), which usually would be the default gateway for Site A (like if Site A is a small office, it's probably the Internet router for the office). You want to add a route to this gateway to make it route Site B's subnet (192.168.200.0/24) via Host α (192.168.1.1) on the Site A (LAN) side of the gateway.

If this gateway is a Linux box, run the ip route command on the gateway to check what (IPv4) routes it currently is using (for IPv6, run ip -6 route). On Site A, the result might look something like this:

$ ip route
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.100
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.128
default via 192.0.2.1 dev eth0
The example above shows the gateway having an IP address of 192.0.2.100 on its eth0 network device, and 192.168.1.128 on its eth1 device. The eth1 device is connected to the Site A subnet, 192.168.1.0/24.

So run the following command on the gateway to (temporarily) add a route to Site B through Host α on the eth1 device:

ip route add 192.168.200.0/24 via 192.168.1.1 dev eth1
Replace the subnet for Site B (192.168.200.0/24) with the actual Site B subnet you're using, the IP address for Host α (192.168.1.1) with the actual Host α IP address you're using, and the network device name (eth1) with the actual name of the device through which the gateway is connected to Site A.

Note that adding a route this way just adds it temporarily, until the gateway is restarted or reconfigured — if you test out the WireGuard tunnel and everything works out, you'll want to make the route change permanent via whatever mechanism you regularly use to configure the gateway (like via networkd or netplan config files, or your own hand-built shell scripts, or some tool with a graphical user interface).

Similarly, check the routes used on Site B's default gateway with ip route, and then run a command on it like the following on it to add a route to Site A through Host β:

ip route add 192.168.1.0/24 via 192.168.200.2 dev eth1

[tl5k5]

Any help would be appreciated!