• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WireGuard site-to-site pfsense-to-pfsense no handshake?

Scheduled Pinned Locked Moved WireGuard
42 Posts 7 Posters 11.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jimbohello
    last edited by Jimbohello Jul 12, 2021, 1:57 AM Jul 12, 2021, 1:57 AM

    @jimbohello said in WireGuard site-to-site pfsense-to-pfsense no handshake?:

    @mikki-10

    @Mikki-10

    MY SITEB

    Screenshot_20210711_214917.png

    M 1 Reply Last reply Jul 12, 2021, 8:14 AM Reply Quote 0
    • M
      Mikki-10 @Jimbohello
      last edited by Jul 12, 2021, 8:14 AM

      @jimbohello

      Super nice, seems like we were able to help eachother out a bit then 😊

      I redid some of the steps, I now have one tunnel all working now!

      Y 1 Reply Last reply Jul 13, 2021, 2:24 PM Reply Quote 0
      • Y
        Yazur @Mikki-10
        last edited by Jul 13, 2021, 2:24 PM

        @mikki-10 @Jimbohello

        Hello,

        I also have the same problem, site to site impossible with Wireguard on pfsense in version 2.5.2.
        You mentioned OpenVPN, Wireguard and IPSEC in the conversation, is your last messages for solving the problem about Wireguard?

        J 1 Reply Last reply Jul 13, 2021, 2:26 PM Reply Quote 0
        • J
          Jimbohello @Yazur
          last edited by Jul 13, 2021, 2:26 PM

          @yazur

          yes the problem is solve with wireguard just read the complete post

          Y 1 Reply Last reply Jul 13, 2021, 2:45 PM Reply Quote 0
          • Y
            Yazur @Jimbohello
            last edited by Jul 13, 2021, 2:45 PM

            @jimbohello

            I have succeeded, in addition to adding the gateways on the interfaces, we must add the static routes.
            If you follow the netgate documentation everything should be automatic :D !

            J 1 Reply Last reply Jul 13, 2021, 2:50 PM Reply Quote 0
            • J
              Jimbohello @Yazur
              last edited by Jul 13, 2021, 2:50 PM

              @yazur

              already mentionned in that post

              static routing is up there

              just read carefully

              every thing is there

              C 1 Reply Last reply Jul 13, 2021, 3:23 PM Reply Quote 1
              • C
                cmcdonald Netgate Developer @Jimbohello
                last edited by Jul 13, 2021, 3:23 PM

                Updated documentation is something we are working on

                Need help fast? https://www.netgate.com/support

                1 Reply Last reply Reply Quote 2
                • M
                  Mikki-10
                  last edited by Mikki-10 Jul 13, 2021, 4:31 PM Jul 13, 2021, 4:29 PM

                  @yazur I will try to do my best to sum it up :)

                  • Create a tunnel, on Site 1 and Site 2, eg change the port number if you do not like the default value, generate the keys for the site, it follows the setup as below.
                  • Assign the interface (eg tun_wg0) and set a static IP, this is the tunnel network, set the MTU to 1420, see settings below, i use the subnet 192.168.77.0/24 in this exampel.
                  • Set a firewall rule (UDP) to allow traffic on the WAN interface to the Wireguard tunnel port. (eg UDP port 51820 to WAN address on the WAN interface) (And no it is not a NAT rule (Port forward))
                  • Set the needed firewall rules for WireGuard and the WireGuard interface WG
                  • Add the peers, on both sites, where the public key for the peer is the opposite sites public tunnel key. At least one of the peers shall have an endpoint, the opposite can be dynamic. So the site that have and public IP, can have its peers to be dynamic, we can call that site the server (the site with an public IP) and the other sites for clientes (those eg behind a CGNAT) if you like. Also add Allowed IPs here, you will need to add the LAN IP and the tunnel IP subnets
                  • Add the gateway, with the opposite sites tunnel IP.
                  • The gateway should come online at this point and the handshake should now be green-
                  • Now set the need static route on both sites

                  Tunnel - Site 1
                  Tunnel: tun_wg0 (Site 1)
                  Public key: PK1

                  Peer - Site 1
                  Tunnel: tun_wg0 (Site 1)
                  Endpoint: Dynamic
                  Public Key: PK2
                  Allowed IPs: <LAN Subnet of Site 2>
                  Allowed IPs: 192.168.77.0/24

                  Interface - Site 1
                  Description: WG
                  IPv4: Static IPv4
                  MTU: 1420
                  IPv4 Address: 192.168.77.1/24

                  Gateway- Site 1
                  Interface: WG
                  Name: WG_Gateway
                  IPv4 Address: 192.168.77.2

                  Tunnel - Site 2
                  Tunnel: tun_wg0 (Site 2)
                  Public key: PK2

                  Peer - Site 2
                  Tunnel: tun_wg0 (Site 2)
                  Endpoint: <Public IP of Site 1>
                  Public Key: PK1
                  Allowed IPs: <LAN Subnet of Site 2>
                  Allowed IPs: 192.168.77.0/24

                  Interface - Site 2
                  Description: WG
                  IPv4: Static IPv4
                  MTU: 1420
                  IPv4 Address: 192.168.77.2/24

                  Gateway- Site 2
                  Interface: WG
                  Name: WG_Gateway
                  IPv4 Address: 192.168.77.1

                  M B 2 Replies Last reply Jul 13, 2021, 5:05 PM Reply Quote 0
                  • M
                    Mikki-10 @Mikki-10
                    last edited by Jul 13, 2021, 5:05 PM

                    @mikki-10 said in WireGuard site-to-site pfsense-to-pfsense no handshake?:

                    Peer - Site 2
                    Tunnel: tun_wg0 (Site 2)
                    Endpoint: <Public IP of Site 1>
                    Public Key: PK1
                    Allowed IPs: <LAN Subnet of Site 2>
                    Allowed IPs: 192.168.77.0/24

                    I made a small mistanke, and can not edit my post?
                    Allowed IPs: <LAN Subnet of Site 2> should be <LAN Subnet of Site 1>

                    Peer - Site 2
                    Tunnel: tun_wg0 (Site 2)
                    Endpoint: <Public IP of Site 1>
                    Public Key: PK1
                    Allowed IPs: <LAN Subnet of Site 1>
                    Allowed IPs: 192.168.77.0/24

                    J 1 Reply Last reply Jul 13, 2021, 5:08 PM Reply Quote 0
                    • J
                      Jimbohello @Mikki-10
                      last edited by Jul 13, 2021, 5:08 PM

                      @mikki-10

                      wow your nice guys

                      every thing was already said in all the post for a pfsense user to do their jobs !

                      reposting all the procedure was kind of useless but friendly :)

                      have a nice one bro

                      1 Reply Last reply Reply Quote 0
                      • Y
                        Yazur
                        last edited by Jul 15, 2021, 3:26 PM

                        @Mikki-10

                        Thank you for this summary!
                        I hope it helps other people too :)!

                        1 Reply Last reply Reply Quote 0
                        • B
                          bassopt @Mikki-10
                          last edited by Jul 26, 2021, 5:18 PM

                          @mikki-10

                          That’s for the tutorial. I was following a German dude tutorial on YouTube and setting gateways for site 1 the site 1 ip and for site 2 the site 2 up. Result was losing handshake and pings after a few hours or randomly. Even with keep alive settings.

                          For now I reverted back to IPSec for site to site vpn as is more stable and easy to setup. Manual creation of static routes and gateways it’s as bit of pain if you’re on relatively big environment.

                          I know, I know… it’s experimental. Works great for mobile warriors though.

                          1 Reply Last reply Reply Quote 0
                          • B
                            bassopt
                            last edited by Aug 11, 2021, 3:10 AM

                            This was working fine on version 0.1.3. Updated to 0.1.5 and now I cannot access any of my peers subnet defined in static routing. I can ping from pfsense but pinging from any address on the lan subnet doesn’t work. Site one can’t ping site 2 and vice versa.

                            T 1 Reply Last reply Aug 14, 2021, 5:53 PM Reply Quote 0
                            • T
                              titansilber @bassopt
                              last edited by Aug 14, 2021, 5:53 PM

                              With hybrid nat the automatic nat rules for the WG interface look like a hot mess, especially if you have multiple interfaces. Anyone have examples of what it should look like?

                              M 1 Reply Last reply Aug 18, 2021, 9:36 AM Reply Quote 0
                              • M
                                Mikki-10 @titansilber
                                last edited by Aug 18, 2021, 9:36 AM

                                @titansilber

                                What is your goal with the Outbound NAT change? It is not required for site-to-site.

                                If the goal is to change all traffic to the interface ip you can do that by setting to roules:

                                Interface: WG interface
                                Source: 127.0.0.0/8
                                Source port: *
                                Destination: * or what you need
                                Destination port: *
                                NAT Address WG address
                                NAT port: *
                                Static port: false

                                Interface: WG interface
                                Source: <Your LAN ip
                                Source port: *
                                Destination: * or what you need
                                Destination port: *
                                NAT Address WG address
                                NAT port: *
                                Static port: false

                                Not sure if this is what you are looking for?

                                B 1 Reply Last reply Aug 18, 2021, 5:49 PM Reply Quote 0
                                • B
                                  bassopt @Mikki-10
                                  last edited by Aug 18, 2021, 5:49 PM

                                  After much hair pulling I finally made this work and stable.

                                  You need to specify / create and assign he gateway to the WG Interface when you create it else you'll have or sort of routing issues
                                  You also need to create static routes to the gateway with the subnets you want to access on the other side of the tunnel.

                                  Oh and the instructions above are wrong the Gateway ip needs to be the ip of tunnel on your side and not on the opposite side or it won't work.

                                  Unfortunately then entire wireguard project seems to be quite secondary at this point for negate (they didn't even bothered updating the documents)... I know it's still experimental, but ok...
                                  The developer is also never available never replies to anything in any of the platforms he mentions on his videos. He just ignores 99% of problems people are having (I hope they are not expecting us to start opening pointless stuff on redmi)

                                  M 1 Reply Last reply Aug 25, 2021, 12:40 PM Reply Quote 0
                                  • M
                                    Mikki-10 @bassopt
                                    last edited by Aug 25, 2021, 12:40 PM

                                    @bassopt

                                    Hi the use of the Gateway ip from the other side is not wrong, you do that with OpenVPN site to site as well when using layer 2 (TAP interface) and it give you the correct ping to the other side, and it helps keep the connection/session alive.

                                    You do not need to do any NAT config if you follow the above.

                                    Just remember to set the
                                    MTU: 1420 and
                                    MSS: 1420
                                    That fix most problems.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bbrendon
                                      last edited by Oct 18, 2021, 6:32 PM

                                      there is also a bug here that causes no handshake.
                                      https://forum.netgate.com/topic/167279/wireguard-won-t-handshake-package-bug?_=1634581891833

                                      C 1 Reply Last reply Nov 10, 2021, 10:07 PM Reply Quote 0
                                      • C
                                        cmcdonald Netgate Developer @bbrendon
                                        last edited by Nov 10, 2021, 10:07 PM

                                        This bug should be resolved in the latest version (0.1.5_2 and above). This package is available CE 2.5.2/2.6.0 and Plus 21.05.2/22.01. Give it a shot :)

                                        Need help fast? https://www.netgate.com/support

                                        B 1 Reply Last reply Nov 10, 2021, 10:20 PM Reply Quote 0
                                        • B
                                          bassopt @cmcdonald
                                          last edited by Nov 10, 2021, 10:20 PM

                                          @cmcdonald I don’t see any 0.1.5_2 update on my end

                                          C 2 Replies Last reply Nov 10, 2021, 11:13 PM Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received