Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Site to Site

    Scheduled Pinned Locked Moved WireGuard
    wireguardsite-to-site
    7 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      random_pawn
      last edited by random_pawn

      Re: Wireguard Site-to-Site Setup - Errors on Interface

      I am setting up a Wireguard site to site between two pfSense (2.6.0) before sending the one off. I followed the video from Christian MacDonald here: https://youtu.be/2oe7rTMFmqc to set it all up (tunnels, peers, firewall, interface, gateway routes, etc).

      Unlike the video, I have the "new" equipment WAN linked to my LAN for setup. I am not sure if this affects how it works. I have been sticking to IP addresses to rule out DNS. Routing tables look fine.

      Both pfSenses show the tunnel gateway up and good connection. However, the Wireguard itself is not functional. Example, unable to connect to the new equipment LAN (to access WebGUI) from my LAN. Tracert from my pfSense shows the first hop at the Wireguard tunnel IP but after that is all *.

      I have checked the settings across both devices multiple times and the video. Not sure what else to look for. I wish there was some kind of log for Wireguard connections.

      I do see interface errors, both in and out. My pfSense shows:

      Packets In 26451
      Packets Out 66561
      Bytes In 749 KiB
      Bytes Out 1.84 MiB
      Errors In 40287
      Errors Out 10028

      None of the other interfaces (physical and VLANs) have errors. Only the Wireguard S2S one. The "new" pfSense barely has any errors (0 in, 51 out) for (39166 in, 105932 out) on the S2S interface.

      Searching the States for the Wireguard port shows only ipv6 entries (both pfSense). Strange considering the Wireguard networks, routing, and S2S interface are only set to use ipv4 (Firewall rules allowing combinations of ipv4 and ipv6 have no effect). Any ideas?

      At this point, seems I will do 1 more pass checking each setting carefully. And then hope it works when both are separated by the internet.

      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @random_pawn
        last edited by

        @random_pawn
        What does "WAN linked to LAN" mean?

        Post pics of Wireguard config, interfaces, static routes, gateways, everything you did.

        R 1 Reply Last reply Reply Quote 1
        • Bob.DigB
          Bob.Dig LAYER 8
          last edited by

          Sounds more like a problem of your test setup and not something with WireGuard.

          R 1 Reply Last reply Reply Quote 0
          • R
            random_pawn @Jarhead
            last edited by random_pawn

            @jarhead The video shows both pfSense connected to a WAN. My network isn't set up like this. My network pfSense WAN is connected to the ISP while the one for remote is being configured with its WAN connected to my LAN.

            J 1 Reply Last reply Reply Quote 0
            • R
              random_pawn @Bob.Dig
              last edited by

              @bob-dig Any ideas what to look at? I have spent hours looking at the settings in that video. The gateway monitor on each side sees the other one.

              1 Reply Last reply Reply Quote 0
              • J
                Jarhead @random_pawn
                last edited by Jarhead

                @random_pawn said in Wireguard Site to Site:

                @jarhead The video shows both pfSense connected to a WAN. My network isn't set up like this. My network pfSense WAN is connected to the ISP while the one for remote is being configured with its WAN connected to my LAN.

                First, as I said. Post pics of the config. Another set of eyes will probably help.

                Second, you need to be more clear about this wan-lan link.
                Draw a picture of what you mean, because from what you're saying, the remote site connected to your lan wouldn't make it remote. That makes no sense.
                Are you saying the remote is a lab setup in your home?

                R 1 Reply Last reply Reply Quote 0
                • R
                  random_pawn @Jarhead
                  last edited by random_pawn

                  @jarhead

                  I am configuring this device for deployment. Sorry I was not clear on that point. That is why the WAN is connected to my LAN. This device will be going over a thousand miles away and I need to set it up before it makes that journey. All of this headache just so I can remotely help (and make my life a little easier without needing to coordinate some kind of remote desktop/access). And this scenario requires the remote device to punch the hole through because their ISP uses private IPs, so the link will rely on the remote device establishing the link.

                  I have isolated it to the Firewall blocking the access. The default deny rule was stepping in to block it. The Firewall knows it is the S2S interface... and not the WAN. Private IP restrictions do not apply. The Default deny rule on both firewalls was blocking access. Oddly, the PC on the remote pfSense had no issues accessing my pfSense WebGUI but could not access my LAN devices... and I could not go the other direction to access the WebGUI of the remote device..

                  I need to review the syntax/scope on the Firewall rules again. By default, pfSense uses XXX net for Source. I had copied the allow rules to the S2S interface and updated to use S2S net. As Christian's video shows in the Firewall section, source is set to * (All). I have the tunnel working now. So sorry about wasting anyone's time.

                  P.S. Akismet is flagging my post as spam. Not sure why that is. Apparently it won't allow me to add images with the post.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.