Unable to get site-site VPN working

stevelup

Home in 'light' theme, office in 'dark' theme.

Here is a successful ping of a device on the office LAN from the home pfSense GUI

Here is a successful ping of a device on the home LAN from the office pfSense GUI

Office > home static route

Office firewall rule (it's just any/any)

Office peers

Home > office static route

Home firewall rule (again, just any/any)

Home peers

stevelup

Here's my LAN firewall rule in case it's relevant - again, it just allows any

And here is what I see if I try and make a random connection (I just telnetted to the unused port 12345) from home to the office.

I'm obviously just missing something spectacularly dumb... but this has me at a loss and I'm not one who normally gives up and asks for help!

Bob.Dig

@stevelup And you have no rules on the WireGuard-Interface-Tab (both sides)?
Please share your WireGuard-Interfaces as well. There you should set 1420 as MTU and MSS.
Your allowed IPs with /31 are wrong, that should be /32 with the IP of the other side of the tunnel but it doesn't look to be related to your actual problem.

stevelup

@Bob-Dig Can confirm there are no rules in either WireGuard tab. I followed the advice in Christian McDonald's video and set Interface Group Membership to 'Only Unassigned Tunnels' which means that rule isn't in play anyway. But this was one of my troubleshooting steps after I couldn't get it working.

The /31 came from the official docs:-

https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

But as you say, I don't think that's relevant because the VPN is actually working fine.

I will certainly try changing it though just for the purposes of eliminating a further variable.

Can confirm MTU is set to 1420 at both ends.

Bob.Dig

@stevelup said in Unable to get site-site VPN working:

I will certainly try changing it though just for the purposes of eliminating a further variable.

Please do, could be a potential issue with the documentation there. If you change that, does the gateway monitoring work? It shouldn't work right now...

What clients are we talking about? If it is Windows, turn their firewalls off on both sides just to make sure, because I can't see the problem right now.

stevelup

@Bob-Dig Gateway monitoring is working fine (and always has)

The client devices I'm pinging to/from are Linux boxes with no firewall, and as above, they are pingable from the pfSense GUI

Both the site-to-site and site-to-multisite tutorials on the pfSense docs show a subnet there not a single host, as does Christian's video, but I'll certainly try it.

stevelup

Hi

Many thanks for your continuing assistance.

I did that...

... no change. Gateway monitoring still working both ends, I can ping either direction from pfSense GUI, but not from either LAN.

This feels like a firewall / NAT issue, and not really anything to do with Wireguard.

Steve

Bob.Dig

@stevelup Might be pfSense-magic. If gateway monitoring is already working, nothing to do. But it might be a pfSense only thing.

Firewall/NAT issue... I don't think so because you don't NAT if you have followed the tutorial by Christian. Your VMs running bare metal or?

stevelup

I have a mixture of bare metal and virtualised stuff at both ends, not sure it's relevant.

Network is simple, one single flat /24 on each side.

It's worth pointing out that I can't even ping the remote pfSense gateways which basically rules out anything external as far as I can see.

See below - I can ping 192.168.1.254 from my home pfSense GUI, but not from my home LAN.

This is going to be something spectacularly dumb when I figure out what it is but I just don't understand how to troubleshoot this.

viragomann

@stevelup said in Unable to get site-site VPN working:

I can ping 192.168.1.254 from my home pfSense GUI, but not from my home LAN.

Post the routing tables of all involved devices, please: The one of the LAN machine and of both pfSense nodes.

stevelup

I am so sorry to have wasted your time but I've solved this, and it was complete and absolute muppetry on my behalf.

I had, many months ago, attempted to set this same thing up using an IPsec tunnel. The non-working IPsec tunnel was still set up on one of the devices...