Wireguard Site to Site - Unable to access remote sites

yodaphone

Set up the wireguard S2S. I'm able to ping machines on either side

i am however unable to access webservers (via internal IPs) running on either side, that i had setup to test. No other thing works other than the ping.

I have the interfaces assigned and rules in Firewall.

I also have another WG tunnel & if i use wireguard client, i'm able to access the webserver though.

TL;DR Ping works but nothing else.

Here are the wg1.conf from either side

RemoteOffice Site

# This WireGuard config file has been created automatically. Do not edit!
# Description: SiteToSite

[Interface]
PrivateKey = PVTKEY
ListenPort = 51821

# Peer: HomeS2SClient
[Peer]
PublicKey = Pubkey=
EndPoint = 5.6.7.8:51821
AllowedIPs = 192.168.11.0/24, 10.30.0.0/24
PersistentKeepalive = 10



Home Site

# This WireGuard config file has been created automatically. Do not edit!
# Description: SitetoSite

[Interface]
PrivateKey = PVTKEY
ListenPort = 51821

# Peer: RemoteOffice
[Peer]
PublicKey = RemotePublicKey
EndPoint = 1.2.3.4:51821
AllowedIPs = 192.168.2.0/24, 10.30.0.0/24
PersistentKeepalive = 10

yodaphone

@yodaphone
I'm only able to PING the WG IP Addresses from the clients on the either side, but NOT the remote client subnet

periko

@yodaphone this is s2s between 2 pfsense boxes?
Can u share your pf tunnel and peer settings?
Regards!!!

yodaphone

@periko
HQ Details:

Internal Subnet : 192.168.2.0/24

WG Lan IP: 10.30.0.1/24

Port: 51821

Remote Office:

Internal Subnet : 192.168.11.0/24

WG Lan IP: 10.30.0.2/24

Port: 51821

Yes i have followed the guide and created the Interface and added firewall rules.

The weird part is that i can ping the remote WG LAN IPs but not the remote subnets.

I can PING 10.30.0.1 <-> 10.30.0.2 from either side

My NAT is Hybrid Mode.

HQ Side wg1.conf

# This WireGuard config file has been created automatically. Do not edit!
# Description: HQ

[Interface]
PrivateKey = hqPVTkey
ListenPort = 51821

# Peer: remoteoffice
[Peer]
PublicKey = RemotePUBKEY=
EndPoint = 4.5.6.7:51821
AllowedIPs = 10.30.0.2/32, 192.168.11.0/24
PersistentKeepalive = 10

REMOTE OFFICE wg1.conf

# This WireGuard config file has been created automatically. Do not edit!
# Description: remoteoffice

[Interface]
PrivateKey = PVTKEY=
ListenPort = 51821

# Peer: HQ
[Peer]
PublicKey = HQPUBKEY=
EndPoint = 1.2.3.4:51821
AllowedIPs = 10.30.0.1/32, 192.168.2.0/24
PersistentKeepalive = 10

The Biggest headscratcher is that i can ping the remote Subnet form the pfsense boxes, both ways, but cannot from the network

periko

@yodaphone can u show the fw rules from the tab 'wireguard' please..

KOM

@periko I think you need to have an interface defined for each wg tunnel and both a firewall rule on each end as well as an outbound NAT rule. Without those, pfSense knows how to touch each end but it doesn't know how to route your traffic.

1. Create an interface for your wg tunnel. Put an All All for Any rule on it to make it wide open for now.

2. Add a LAN rule above your 'Default allow LAN to any rule', Allow, Prot:IPv4*, Source:, Port:, Dest:<targetnetworkinCIDR>, Port:*, Gateway: <wireguardinterface>

3. Add an Outbound NAT rule via NAT - Outbound. Switch your mode to Hybrid and click Save. Then under Mappings add a rule: Interface: <wireguardinterface>, Source:<localnetworkinCIDR>, SrcPort:, Dest:, DestPort:*, NAT Address:<wireguardinterface> address

Do this on each side and they should be able to talk to each other via IP address but DNS might need some finesse.

yodaphone

Thank you all for your responses

I solved it by removing the IPSec tunnel completely. I had an IPSec tunnel between the points & had disabled it. Once i removed it completely, Wireguard started to work. The bizarre part was that the tunnel was fine between the pfsense boxes and not between the clients behind each.

yodaphone

@kom I did all of this. the issue was with IPSec tunnel. it worked after i removed that

noplan

@yodaphone

so to sum this up,
the whole issue was the second vpn tunnel (IPsec) ?
and after you removed your IPsec tunnel the wireguard s2s tunnel was working ?
if yes please mark this toppic als solved.

yodaphone

SOLVED. Had to remove an IPSec Tunnel to make this work