Wireguard site to site one way only

Started by jaj1105, February 04, 2025, 07:02:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 04, 2025, 07:02:44 PM Last Edit: February 05, 2025, 09:44:11 AM by jaj1105
I all,

I have installed a site to site wireguard with this tuto:

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Site A Public fix IP
Site B shared IP from ISP

Opnsense B connect to Opnsense A well.

LAN B access to LAN A well. LAN A dont access to LAN B, Opnsense A dont send the packet for LAN B through wireguard.

I dont understand why, you know why ?

Best regards,

Joseph
February 05, 2025, 12:52:51 AM #1
Quote from: jaj1105 on February 04, 2025, 07:02:44 PMOpnsense B connect to Opnsense B well.

Small but important mistake during translation (from the French forum): Opnsense B connects to Opnsense *A* well.
The fact that Site A doesn't route through Wireguard was established with tracert.

I asked whether default routing was left alone (in instance advanced mode).
I imagine one can check in System > Routes > Status when the connection is established but I've never set this up so...
February 05, 2025, 09:50:29 AM #2
Thanks a lot Eric, I check the route status and i don't see thi route.

I just add the route in configuration manualy and its working now !!!
February 05, 2025, 07:01:26 PM #3
What route did you add? I have the same problem. OPNsense A can connect to OPNsense B via WG, and can see devices behind OPNsense B. OPNsense B cannot see OPNsense A via WG. I try pinging OPNsense A, from the Ping tool on OPNsense B and nothing.
February 05, 2025, 07:07:52 PM #4
Do you have both LAN networks and the tunnel network addresses in the respective AllowedIPs settings?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 06, 2025, 12:14:08 AM #5
Yes Patrick, its working now with the help of EricPerl.
Thanks 🙏
February 06, 2025, 05:11:23 PM #6
Quote from: Patrick M. Hausen on February 05, 2025, 07:07:52 PMDo you have both LAN networks and the tunnel network addresses in the respective AllowedIPs settings?

I believe I do. Here are screenshots of the peers from each firewall. The initial tunnel is up but now I cannot get to devices from either side. I have just rebooted both firewalls, just to ensure everything was clean. What could I be missing?
February 06, 2025, 05:16:47 PM #7
If AllowedIPs looks good, then probably firewall rules. Without any rules applied to either the assigned WG interface (in case you did that) or the "WireGuard" group, the default applies which is "deny all".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 06, 2025, 05:23:40 PM #8
Quote from: Patrick M. Hausen on February 06, 2025, 05:16:47 PMIf AllowedIPs looks good, then probably firewall rules. Without any rules applied to either the assigned WG interface (in case you did that) or the "WireGuard" group, the default applies which is "deny all".

I thought that could be it but checked. I have firewall rules in place for WAN(FIOS) and interface(WG). Do I need rules on the LAN interfaces? I have the default allow rule for each LAN interface.
February 06, 2025, 05:26:37 PM #9
In the rule on WG the source is not "WG net" but the LAN of the opposite site. "WG net" is the tunnel net only. All "X net" aliases are just the network directly connected to that particular interface not "anything reachable via that IF".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 06, 2025, 11:56:03 PM #10
That was the 2nd rule for each site in step 6 of the guide...
Print
Go Up Pages1
User actions