Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Site to Site - Unable to access remote sites

    Scheduled Pinned Locked Moved
    WireGuard
    4
    10
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yodaphone
      last edited by

      Set up the wireguard S2S. I'm able to ping machines on either side

      i am however unable to access webservers (via internal IPs) running on either side, that i had setup to test. No other thing works other than the ping.

      I have the interfaces assigned and rules in Firewall.

      I also have another WG tunnel & if i use wireguard client, i'm able to access the webserver though. 🤷

      TL;DR Ping works but nothing else.

      Here are the wg1.conf from either side

      RemoteOffice Site

# This WireGuard config file has been created automatically. Do not edit!
# Description: SiteToSite

[Interface]
PrivateKey = PVTKEY
ListenPort = 51821

# Peer: HomeS2SClient
[Peer]
PublicKey = Pubkey=
EndPoint = 5.6.7.8:51821
AllowedIPs = 192.168.11.0/24, 10.30.0.0/24
PersistentKeepalive = 10



Home Site

# This WireGuard config file has been created automatically. Do not edit!
# Description: SitetoSite

[Interface]
PrivateKey = PVTKEY
ListenPort = 51821

# Peer: RemoteOffice
[Peer]
PublicKey = RemotePublicKey
EndPoint = 1.2.3.4:51821
AllowedIPs = 192.168.2.0/24, 10.30.0.0/24
PersistentKeepalive = 10
      Y 1 Reply Last reply Reply Quote 0
      • Y
        yodaphone @yodaphone
        last edited by yodaphone

        @yodaphone
        I'm only able to PING the WG IP Addresses from the clients on the either side, but NOT the remote client subnet

        perikoP 1 Reply Last reply Reply Quote 0
        • perikoP
          periko @yodaphone
          last edited by

          @yodaphone this is s2s between 2 pfsense boxes?
          Can u share your pf tunnel and peer settings?
          Regards!!!

          Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
          www.bajaopensolutions.com
          https://www.facebook.com/BajaOpenSolutions
          Quieres aprender PfSense, visita mi canal de youtube:
          https://www.youtube.com/c/PedroMorenoBOS

          Y 1 Reply Last reply Reply Quote 0
          • Y
            yodaphone @periko
            last edited by

            @periko
            HQ Details:

            Internal Subnet : 192.168.2.0/24

            WG Lan IP: 10.30.0.1/24

            Port: 51821

            Remote Office:

            Internal Subnet : 192.168.11.0/24

            WG Lan IP: 10.30.0.2/24

            Port: 51821

            Yes i have followed the guide and created the Interface and added firewall rules.

            The weird part is that i can ping the remote WG LAN IPs but not the remote subnets.

            I can PING 10.30.0.1 <-> 10.30.0.2 from either side

            My NAT is Hybrid Mode.

            HQ Side wg1.conf

            # This WireGuard config file has been created automatically. Do not edit!
# Description: HQ

[Interface]
PrivateKey = hqPVTkey
ListenPort = 51821

# Peer: remoteoffice
[Peer]
PublicKey = RemotePUBKEY=
EndPoint = 4.5.6.7:51821
AllowedIPs = 10.30.0.2/32, 192.168.11.0/24
PersistentKeepalive = 10

            REMOTE OFFICE wg1.conf

            # This WireGuard config file has been created automatically. Do not edit!
# Description: remoteoffice

[Interface]
PrivateKey = PVTKEY=
ListenPort = 51821

# Peer: HQ
[Peer]
PublicKey = HQPUBKEY=
EndPoint = 1.2.3.4:51821
AllowedIPs = 10.30.0.1/32, 192.168.2.0/24
PersistentKeepalive = 10

            The Biggest headscratcher is that i can ping the remote Subnet form the pfsense boxes, both ways, but cannot from the network

            perikoP 1 Reply Last reply Reply Quote 0
            • perikoP
              periko @yodaphone
              last edited by

              @yodaphone can u show the fw rules from the tab 'wireguard' please..

              Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
              www.bajaopensolutions.com
              https://www.facebook.com/BajaOpenSolutions
              Quieres aprender PfSense, visita mi canal de youtube:
              https://www.youtube.com/c/PedroMorenoBOS

              KOMK 1 Reply Last reply Reply Quote 0
              • KOMK
                KOM @periko
                last edited by

                @periko I think you need to have an interface defined for each wg tunnel and both a firewall rule on each end as well as an outbound NAT rule. Without those, pfSense knows how to touch each end but it doesn't know how to route your traffic.

                1. Create an interface for your wg tunnel. Put an All All for Any rule on it to make it wide open for now.

                2. Add a LAN rule above your 'Default allow LAN to any rule', Allow, Prot:IPv4*, Source:, Port:, Dest:<targetnetworkinCIDR>, Port:*, Gateway: <wireguardinterface>

                3. Add an Outbound NAT rule via NAT - Outbound. Switch your mode to Hybrid and click Save. Then under Mappings add a rule: Interface: <wireguardinterface>, Source:<localnetworkinCIDR>, SrcPort:, Dest:, DestPort:*, NAT Address:<wireguardinterface> address

                Do this on each side and they should be able to talk to each other via IP address but DNS might need some finesse.

                Y 1 Reply Last reply Reply Quote 0
                • Y
                  yodaphone
                  last edited by

                  Thank you all for your responses

                  I solved it by removing the IPSec tunnel completely. I had an IPSec tunnel between the points & had disabled it. Once i removed it completely, Wireguard started to work. The bizarre part was that the tunnel was fine between the pfsense boxes and not between the clients behind each.

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yodaphone @KOM
                    last edited by

                    @kom I did all of this. the issue was with IPSec tunnel. it worked after i removed that

                    noplanN 1 Reply Last reply Reply Quote 0
                    • noplanN
                      noplan @yodaphone
                      last edited by

                      @yodaphone

                      so to sum this up,
                      the whole issue was the second vpn tunnel (IPsec) ?
                      and after you removed your IPsec tunnel the wireguard s2s tunnel was working ?
                      if yes please mark this toppic als solved.

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yodaphone
                        last edited by

                        SOLVED. Had to remove an IPSec Tunnel to make this work

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post