Wireguard S2S issue

[ricksense]

Hi
I created a lab with two OPNsense virtual machines in Pnetlab.
I set up Wireguard as a site-to-site VPN on both of them. The Wireguard itself seems to be working fine, as you can see from the images below:



On both OPnsense VMs, I set VLANs with a few VPCs, and I tried to reach them through the Wireguard tunnel, but they can't even ping each other.
However,  I can ping the VPCs from the diagnostic tools in the OPNsense VMs
I think I have already tried just about everything (set firewall rules etc) to get everything working, but I still find myself banging my head against this problem for about a week.
Could you please help figure it out? Thanks

My LAB topology

[meyergru]

There are only five steps to take and each can be verified seperately:

1. You must have a working Wireguard connection (it looks like you do)
2. The allowed networks must contain the remote networks (could be that it is a problem, because if you sub-divide the 10/8 network into several /24 networks for each VLAN, then 10.0.0.0/24 is only one of them)
3. The routing on both sides must know where to direct the packets to
4. The firewall rules must allow the packets to pass
5. The VPCs must answer to routed ping requests (Windows firewall by default only allows requests on the same local subnet)

[ricksense]

There are only five steps to take and each can be verified seperately:

1. You must have a working Wireguard connection (it looks like you do) // Yes, I have

2. The allowed networks must contain the remote networks (could be that it is a problem, because if you sub-divide the 10/8 network into several /24 networks for each VLAN, then 10.0.0.0/24 is only one of them)// the
10.0.0.0/24 is about the wireguard network [site A 10.0.0.1 and site B 10.0.0.2]

3. The routing on both sides must know where to direct the packets to // I suspect that it may be the problem about. As far as I know when you create a wireguard interface it should also manage the routing too


4. The firewall rules must allow the packets to pass //No block entry in the firewall logs

5. The VPCs must answer to routed ping requests (Windows firewall by default only allows requests on the same local subnet)// I know but the ping fail via VPCs [192.168.10.52 icmp_seq=1 timeout]

Thanks

[Bob.Dig]

10.0.0.0/24 looks suspicious to me. If this is your tunnel network, it should look like 10.0.0.*/32 in the widget.

[ricksense]

10.0.0.0/24 looks suspicious to me. If this is your tunnel network, it should look like 10.0.0.*/32 in the widget.

I tried it too. Nothing changed
Thanks anyway

[ricksense]

It's a firewall issue apparently

If I set a pass floating rule any to any for each VLAN interface on both Firewall, it works.
However, as soon as I make them more more restrictive, even the ping stops working.

This one on VLAN on both side

[Patrick M. Hausen]

"More restrictive" - how so, exactly? There's something too restrictive in your rules, obviously. Post the rules, please.

[ricksense]

"More restrictive" - how so, exactly? There's something too restrictive in your rules, obviously. Post the rules, please.

How can I print all the rules from command line? Thanks

[ricksense]

If I set the two floating rules on both side this way, the VLANs can't reach one another anymore:

[ricksense]

Any idea about that?

[Patrick M. Hausen]

Why are you using floating rules? The ones for 51820/UDP should definitely go on WAN.

Second, assuming you have an "allow all" rule on the respective VLAN interfaces you only need to allow the traffic in through the wireguard interface on the corresponding remote. Did you assign the WG interfaces so you can actually apply rules to them? I suspect the floating rules get evaluated before the WG interfaces are up so they are never applied.

Better assign the interfaces, then put a rule on each:

source: remote LAN + tunnel network, destination: my VLAN, action: allow.

[dseven]

Since they're VLAN interfaces, they probably wouldn't have the "Default allow LAN to any rule", so those would have to be created too. I haven't actually followed this guide myself, but it appears to cover creation of the proper rules.... https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

[ricksense]

Why are you using floating rules? The ones for 51820/UDP should definitely go on WAN.

It's actually on the WAN.

Second, assuming you have an "allow all" rule on the respective VLAN interfaces you only need to allow the traffic in through the wireguard interface on the corresponding remote. Did you assign the WG interfaces so you can actually apply rules to them? I suspect the floating rules get evaluated before the WG interfaces are up so they are never applied.
Better assign the interfaces, then put a rule on each:
source: remote LAN + tunnel network, destination: my VLAN, action: allow.

The floating rules already allow all" on the VLANs:


I also set  an "allow any" on the wireguard interface:



For the record, I set Wireguard S2S tunnels more than once, even on different devices such as Mikrotik, Linux machines and other OPNsense VMS, and I have never gone through this problem. Very strange. Thanks

[ricksense]

Since they're VLAN interfaces, they probably wouldn't have the "Default allow LAN to any rule", so those would have to be created too. I haven't actually followed this guide myself, but it appears to cover creation of the proper rules.... https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

I followed this very guide myself too. Thanks

[dseven]

I followed this very guide myself too. Thanks

Then why are you creating floating rules? Nothing in that guide tells you to do that......