VPN Site to Site Debug

Started by uspunop, September 19, 2025, 12:12:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 19, 2025, 12:12:39 PM
I have to connect two separate building across a VPN Site to Site with 2 opnsense 25.7 installed.
Every building have a dsl connection with a public ip address and the opnsense firewall are behind the isp router with an assigned private ip address and nat 1:1 with a nat 1:1 (DMZ, exposed host) activated on the router to the wan ip address of the firewall.
I've tried IPSEC, Wireguard and OpenVPN with no success.
At the moment i'm triing again with wireguard with the official guide https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html and this videoguide https://www.youtube.com/watch?v=884RX3dKeek but the peer is always offline
Someone can help me to diagnose it ?
Thedebug log is very poor and i don't see any error in.

Thank You

September 24, 2025, 04:38:14 PM #1
After days of testing i've found the only solution for a site to site VPN is PFsense.
With the latest OPNsense with every combination i've tried there's nothing to do.
September 24, 2025, 04:42:26 PM #2
You did not provide any details so it was a bit difficult to help. Probably I skipped your initial post for that reason, instead of asking, sorry. I run site to site with OPNsense all the time - IPsec and WireGuard without problems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 24, 2025, 05:06:13 PM #3
Some details:
I've created a test environment with 2 minipc 4 nic using exactly all settings in this example:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
The tunnel has never been online
September 24, 2025, 05:31:12 PM #4
How exactly are the WAN sides of these two devices connected?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 25, 2025, 03:15:39 PM #5
There is a switch to which they are connected.
September 25, 2025, 03:53:22 PM #6
So they share the same network as their WAN? OK, do they both have a default gateway in that network so they have an Internet uplink in addition to their local connection?

If yes, you need to check these boxes:

Firewall > Settings > Advanced > Disable reply-to
Firewall > Settings > Advanced > Disable force gateway

The default setup (and the documentation) assumes that the Internet uplink is the uplink only and that the two firewalls in the WG example are in different locations. All communication is forced out the default gateway. If you need communication in a local network on WAN you need to disable that.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 02, 2025, 08:47:07 AM #7
Excuse me for the long delay.
Yes, the two WAN are on the same network: Site A 203.0.113.1/24 - Site B 203.0.113.2/24
Later i will try the advanced firewall suggested settings
Thank You
Print
Go Up Pages1
User actions