Site-to-site VPN with Tailscale - Cannot reach subnet devices from LAN

Started by d82k, April 12, 2025, 07:40:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 12, 2025, 07:40:02 PM Last Edit: April 27, 2025, 03:51:00 PM by d82k
EDIT: changed title to reflect new solution from WireGuard to Tailscale, see issue from post #7

Hello,

I'm following this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html document to configure a site-to-site VPN with WireGuard.

My current situation is the following:

[Net A]-[OPNSense A]-[Router A]-(internet)-[Router B]-[OPNSense B]-[Net B]

Router A and B are directly exposed to the internet and have dynDNS configured. I replaced "Endpoint Address" with the two DNS.

In VPN: WireGuard: Status I see interface and peer both green, only peer has the handshake and few KB in sent and received. Which should mean that the the WireGuard is enabled and the connection established.
Unfortunately when from OPNSense A Interfaces: Diagnostics: Ping I try to ping the address of OPNSense B or any address on the Net B this fails.

both routers have the 51820 port open and forwarding traffic on the same port of OPNSense.

Any idea please?
Is not there the need to define a specific rule/gateway all traffic for Net B needs to go via WireGuard?

In addition in step 3a is using Allowed IPs: 10.2.2.2/32 but in step 2b in Tunnel Address is using 10.2.2.2/24 can anyone explain why is that?

Kind regards,
dk

April 13, 2025, 08:51:53 AM #1
Quote from: d82k on April 12, 2025, 07:40:02 PMAny idea please?
Can you put the ISP routers in modem mode? At the moment you have net|vpn|nat|nat|vpn|net.

If your ISP's do CGNAT, you could even have net|vpn|nat|nat|nat|nat|vpn|net. You can check for CGNAT by browsing to https://ifconfig.co/ and compare the address shown with the WAN IP of your router.

Much simpler than configuring a VPN through multiple routers is an overlay network such as Tailscale or Zerotier. Both are available as OPNsense plugins.

Bart...
April 13, 2025, 11:00:49 AM #2
On the firewall rules there should be a Wireguard entry, have you set any traffic rule there?
/32 refers to allowing traffic only from this IP of the Wireguard range.

Hope this helps


April 15, 2025, 10:31:58 PM #3
Appreciate the feedback. Unfortunately I was not able to make it work.
I did installed Tailscale, this works partially, from the OPNsense I can access any remote ip but unfortunately from any other machine on the network of the OPNSense I cannot reach the remote network.

I created an interface for Tailscale, added any-any rule on the firewall even tried configuring a gateway and adding route for the remote network but nothing. It's not working still...
April 16, 2025, 07:50:00 AM #4
Make sure OPNsense is set up as a subnet router:

- advertised routes tab shows your LAN in VPN: Tailscale: Settings on OPNsense
- on the Tailscale admin page, you see a blue 'Subnets' label and in 'Edit route settings...' on the ... menu for your OPNsense node you have approved the subnet

https://youtu.be/XXx7NDgDaRU

Bart...
April 16, 2025, 08:34:55 PM #5
Thanks for the note Bart, yes I activated the subnet router and authorized those on the tailscale portal.
I also created an interface, enabled it, and in the "Interfaces: Overview" I see it as active and see in the "Routes" the two /24 remote networks and the tailscale ips as well for the tailscale interface.
If SSH into the OPNSense I can ping the remote addresses, and access the remote web portals, but not from a client in the Lan network where the OPNSense is my gateway.
Getting a bit crazy...
April 17, 2025, 08:48:53 AM #6
I think it's time to start tracing. Install Wireshark on a client and capture its and the firewall packets.
April 27, 2025, 02:18:04 PM #7 Last Edit: April 27, 2025, 03:51:36 PM by d82k
I have simplified the environment hopefully to make it work. Here the design:

Code Select
[Lan A .2.0/24 ]---[192.168.2.1 OPNSense_A 192.168.1.2]---|
                                                          | 192.168.1.1 ISP router (public_ip) ---
[Lan B .3.0/24 ]---[192.168.3.1 OPNSense_A 192.168.1.3]---|
I have done the following:
- Installed tailscale plugin, defined subnets and approved on the adminconsole
- Created new interface OPT1 for tailscale and enabled it
- Installed upnp plug in and enabled it with check on "Allow PCP/NAT-PMP Port Mapping"
- Routes shows the correct way as below table
- Both WAN interfaces have the "Block private networks" disabled
- Both OPNSense are able to connect to the internet and resolve DNS
- Firewall rules are the standard ones automatically created.

Routes
OPNSense_A
Code Select
ipv4    192.168.3.0/24    link#9    US    NaN    1280    tailscale0    OPT1       
ipv4    192.168.2.0/24    link#1    U     NaN    1500    igc0        LAN
OPNSense_B
Code Select
ipv4    192.168.2.0/24    link#8    US    NaN    1280    tailscale0    OPT1       
ipv4    192.168.3.0/24    link#1    U     NaN    1500    igc0        LAN
What works:
- from OPNSense_A/B I can ping and reach any device on subnet B/A
- from a device outsise of Lan A/B via tailscale client in can access any device on Lan A/B

What does not work:
- from Lan A/B devices I cannot reach any device on Lan B/A nor the OPNSense_B/A.

I tried adding any any firewall rule on OPT1 and add NAT outbound hybrid adding the following rule:
Code Select
Interface    Source    Source Port    Destination    Destination Port    NAT Address    NAT Port    Static Port
OPT1         LAN net   *              *              *                   OPT1 address   *           NO

Any suggestion or further tests I can perform to troubleshoot this please?
Kind regards.
dk

May 07, 2025, 04:11:36 PM #8 Last Edit: May 07, 2025, 05:12:39 PM by d82k
I have partially solved this with the following:

- Configured Tailscale as above, including advertised subnets
- Added the Tailscale interface and enabled it (OPT1)
- Added two firewall rules on the OPT1 interface accepting in/out any any traffic
- Set Firewall: NAT: Outbound as Hybrid and added the following rules

OPNSense_A
Code Select
Interface    Source    Source Port    Destination      Destination Port    NAT Address          NAT Port    Static Port
OPT1         LAN net   *              192.168.3.0/24   *                   Interface address    *           YES

OPNSense_B
Code Select
Interface    Source    Source Port    Destination      Destination Port    NAT Address          NAT Port    Static Port
OPT1         LAN net   *              192.168.2.0/24   *                   Interface address    *           YES


I did not activated "Allow PCP/NAT-PMP Port Mapping" nor the "Disable SNAT" options

so far the few test performed, looks like it's working properly.



Print
Go Up Pages1
User actions