• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WireGuard works and yet it doesn't.

WireGuard
1
3
742
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    Ofloo
    last edited by Ofloo Apr 25, 2022, 10:35 PM Apr 25, 2022, 10:19 PM

    I figur I'd give wireguard an other try and the most unexpected thing happens?

    I made a site to site setup one with a client with a dynamic IP however with other networks asside from the connecting ip.

    On the pfsense router I can ping the wireguard gateway. However from any of the clients in the network I can't seem to do that. However I am able to ping the wireguard assigned interface IP.

    It boggels my mind can't seem to figure out what is going wrong. Anyone?

    from the router:

    ping 10.44.91.1
PING 10.44.91.1 (10.44.91.1): 56 data bytes
64 bytes from 10.44.91.1: icmp_seq=0 ttl=64 time=18.572 ms
64 bytes from 10.44.91.1: icmp_seq=1 ttl=64 time=20.009 ms
64 bytes from 10.44.91.1: icmp_seq=2 ttl=64 time=22.561 ms

    from a client on behind the router pinging the tunnel assigned IP

    % ping 10.44.91.51
PING 10.44.91.51 (10.44.91.51): 56 data bytes
64 bytes from 10.44.91.51: icmp_seq=0 ttl=64 time=0.201 ms
64 bytes from 10.44.91.51: icmp_seq=1 ttl=64 time=0.162 ms
^C
--- 10.44.91.51 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.162/0.181/0.201/0.019 ms

    Now pinging the tunnels gateway from the client:

    ping 10.44.91.1
PING 10.44.91.1 (10.44.91.1): 56 data bytes
^C
--- 10.44.91.1 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

    client side of the tunnel has route all traffic

    login-to-view

    edit: and the firewall rules are set to allow any

    O 1 Reply Last reply Apr 30, 2022, 3:13 PM Reply Quote 0
    • O
      Ofloo @Ofloo
      last edited by Ofloo Apr 30, 2022, 3:13 PM Apr 30, 2022, 3:13 PM

      @ofloo I know what is wrong only not how to fix it. WireGuard isn't respecting sticky connections.

      router1 -------
  |            `router3
router2 --------'

      a client behind router 3 is requesting a packet. There's a wireguard tunnel between router 2 and 3. There Is a openvpn connection between router 1 and 3.

      There is an IPsec betwen router 1 and 2.

      The client on router3 is requesting a packet this is routed to router2 and there it is NAT onto the internet. The traffic comming back doesn't return from router2 to router3. It returns from router2 to router1 there it gets filtered by the default deny rule however that even has allow all.

      All routers run FRR BGP

      O 1 Reply Last reply Apr 30, 2022, 4:07 PM Reply Quote 0
      • O
        Ofloo @Ofloo
        last edited by Apr 30, 2022, 4:07 PM

        @ofloo Figured it out, bgp raw configuration was overwriting the configuration. So basically never got updated kept running old config.

        Must of updated configuration and hit save at some point in the past.

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.