Wireguard site to site vpn, lan site not accessible.
-
Okay, here is what you're expecting.
Side A:
Tunnel:
Peer:
Tunnel Interface:
Gateway:
Routing:
LAN rule:
Wireguard rule:
Tunnel-interface rule:
Site B:
Tunnel:
Peer:
Tunnel Interface:
Gateway:
Routing:
LAN rule:
Wireguard rule:
Tunnel-interface Rule
This is my total configuration.
-
@sutha You changed LAN subnets?
Not making this easy, are you?Set the interface MTU to 1420 <--- DO THIS. Very important. (May fix your problem)
What you're calling Side A, what is the LAN subnet?
-
I have change the lan range but the subnetting is kept according to the link you provided. I want to avoid the same IP range again to avoid any complication with previous setting.
I have change the lan Interface mtu to 1420, it did not work then tried to change tunnel mtu as well but this is also not successful.
I have revert the lan mtu back to blank, but still not working.Final outcome not working, current lan and tunnel interface mtu status are 1420.
Still can't ping other side local pc.
Side A is one of the location and Side B is the another location.
I have marked this in description of the Tunnel configuration as (S) and (I) .
Subnet for tunnel is x.x.x.x/30 and lan x.x.x.x/24 as you can see in the above configuration(don't compare with beginning of this chat). -
@sutha I meant the WG interface MTU only. Bith sides should be 1420. No need to change the LAN MTU.
What is the local subnet on the side A?
I can't make the question any clearer than that. Thought that was clear enough in my last post.(Hint, it's not x.x.x.x/24)
-
Local subnet is 192.168.10.0/24.
-
@sutha Ok. Wireguard is setup correctly.
Whatever the problem is, it's not Wireguard.
These PC's you're trying to get to, how are they configured? DHCP? Is the gateway correct on them?
Start checking the local PC's on both sides.Check the routing tables on both ends.
Also, do a packet capture on one end from the Wireguard interface, then do a constant ping from a pc on the other end. Do you see the replies going out the Wireguard interface?
With the same ping going, do a packet capture on the WG interface on the same side as the pinging PC. Do you see replies coming in? -
Just to clear my confusion.
Side A:
Pc1:192.168.10.125 (Pc with company files from side-A)
Pc2: 192.168.20.125 (This pc is to connect the side-B network)
Subnet: 255.255.255.0
Gateway: emptySide B:
Pc1:192.168.20.68 (Pc with company files from side-B)
Pc2:192.168.10.68 (This pc is to connect the Side-A network)
Subnet: 255.255.255.0
Gateway: emptyBoth sides have a different public IP from the WAN IP shown in the images above. Therefore, I have forwarded the WireGuard port to this particular machine on each side.
Are my ip setting on the pc's are correct or do I need to add the gateway, when yes what is my gateway(tunnel ip,wan IP or pfsense ip).
-
@sutha pfSense LAN IP on both sides.
Side A gateway will be 10.0Side B gateway will be 20.1.
-
Great !
Finally, something is working.
After entering the gateway, I can ping the local PC from the diagnostic page of other side pfsense. However, I'm still unable to ping from the command prompt. Do I need to install the WireGuard peer on every system from which I'd like to connect via VPN, or is this site-to-site VPN setup with pfSense is enough? -
@sutha pfSense is enough.
You created a link from one router to the other. No clients needed. -
Thanks!
I have tried the command tracert from command prompt, it goes upto otherside tunnel 172.25.25.2(I was trying fron tunnel side 172.25.25.1)- first my router
- tunnel ip 172.25.25.2
-
- requested timed out
-
- requested timed out
and so on.
- requested timed out
If I try the same ip from the diagnostic page from pfsense, 2 jumps only.
- tunnel ip 172.25.25.2
- pc ip 192.168.20.68
I'm sure something is blocking from the exit point of the tunnel, now I'm looking for a way how to identify this block(Pc firewall is off).
-
@Jarhead said in Wireguard site to site vpn, lan site not accessible.:
Check the routing tables on both ends.
Also, do a packet capture on one end from the Wireguard interface, then do a constant ping from a pc on the other end. Do you see the replies going out the Wireguard interface?
With the same ping going, do a packet capture on the WG interface on the same side as the pinging PC. Do you see replies coming in? -
A big Thanks to Jarhead. I have succeeded in my aim today, which I had planned for. I can ping both sides and access via RDP, but I still don't understand few things. Normally, if you want to access a network, you need to be in the same range as that network. For example, I would like to access "side A" (192.168.10.0/24) from "side B" (192.168.20.0/24). I always kept a PC with an IP setting in the range of 192.168.10.50 on "side B", and actually, this is the issue with my settings, other than the gateway setting in the past. Today, when I changed this IP to the normal 192.168.20.50, it is working fine now.