wireguard site 2 site not working

Started by austrian-firewaller, December 01, 2025, 02:46:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 01, 2025, 02:46:42 PM
I have two openSense firewalls both are Version 25.7.7.
I set up wireguard acording to the official documentation, without creating a interface for wireguard.
Wireguard it self, works fine - tunnel is established.

Topology is like that:
Site A: 192.168.1.0/24 - Tunnel IP 172.16.0.1
Site B: 192.168.10.0/24 - Tunnel IP 172.16.0.10

I have an allow -all- rule on the LAN and wg group firewall rule set.
I can ping from site B to the tunnel IP from the firewall on site A, and the other way around.

But I cannot, for christ sake ping any IP adress from one network to the other.. -> I see in the logs the the paket is allowed but ping for example never comes back.
But I can ping the tunneld network directly from the firewall itself.. So I also tried to disable outbound NAT for wireguard, still does not work. So I am clueless.

I would appriciate any help.
December 01, 2025, 03:03:38 PM #1 Last Edit: December 01, 2025, 07:17:46 PM by Patrick M. Hausen
What is the AllowedIP settings in the WireGuard peer on each side?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 01, 2025, 07:00:06 PM #2
Quote from: austrian-firewaller on December 01, 2025, 02:46:42 PMwithout creating a interface for wireguard
Create one on both sides.
Today at 09:15:05 AM #3 Last Edit: Today at 09:16:55 AM by austrian-firewaller
Thank you for your reply.

The allowed IP in Site A:
172.16.0.10/32, 192.168.10.0/24

Site B:
172.16.0.1/32, 192.168.1.0/24

so in each instance it is the fw tunnel IP and the network from the oposite site.
That should be correct right?
Today at 09:16:18 AM #4
Quote from: Bob.Dig on December 01, 2025, 07:00:06 PM
Quote from: austrian-firewaller on December 01, 2025, 02:46:42 PMwithout creating a interface for wireguard
Create one on both sides.

Why? It should not be necessary? And I think i did that as well, nothing changed. I found other sources telling not to do so.
Today at 09:42:32 AM #5
If both firewalls can ping one another (BTW: on which address? The tunnel IP or their LAN IP?), then it seems obvious that your firewall rules created in step 6 of the official instructions are wrong. You should not have to use NAT on the Wireguard interfaces. Just follow the docs.
 
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 02:10:15 PM #6
From both firewalls I can ping the tunnel IP and all Hosts from the other Network.
But it is not possible from a host inside a LAN network to get to the other network. Only to the other tunnel IP adress.

So for example, I ping from a host Site B to firewall Site A
192.168.10.190 -> 192.168.1.10
I see in the firewall Liveview (FW B):
LAN IN from 192.168.10.190 to Dest 192.168.1.10
wg OUT from 192.168.10.190 to Dest 192.168.1.10

And on FW Site A I see nothing.
I have allow "all in" traffic on the LAN and wireguard interface on both opensense still nothing...

Now I have created interfaces for the wireguard tunnels still no change.

WG Tunnel it self is stable. Because from my PC (192.168.10.190) i can ping Firewall Site A with 65000 Bytes of load with no dropped packets over longer time.
Print
Go Up Pages1
User actions