Unable to get site-site VPN working
-
Hi
I've got a bit of a baffling problem and would appreciate some assistance.
I've set up a site-to-site VPN between two locations.
Office is 192.168.1.1/24
Home is 192.168.1.0/24Wireguard is up and running fine and I can ping devices at the office from home using the ping tool in the pfSense GUI.
Likewise, I can ping devices at home from the office using the ping tool.
However I cannot actually ping anything from either LAN. Static routes are present and correct, and traffic is even reaching the remote firewall - for example if I ping an address at home from the office, then look at Diagnostics > States on the home firewall, I can see the packets coming in.
I've followed the pfSense official guide and also Christian McDonald's YouTube video.
Would appreciate suggestions for next troubleshooting steps.
Thanks!
-
@stevelup said in Unable to get site-site VPN working:
Office is 192.168.1.1/24
Home is 192.168.1.0/24These networks are obviously overlapping.
If they are really like this you should change your home subnet to something else. -
@viragomann sorry, my apologies - that was a silly typo.
Office is 192.168.1.0/24
Home is 192.168.0.0/24 -
@stevelup I guess it's show your rules time.
-
@stevelup said in Unable to get site-site VPN working:
However I cannot actually ping anything from either LAN.
Maybe the destination devices are blocking the access from the remote site.
Remember that this is the default behavior of common operating systems. You have to allow access from outside in its firewall first.
-
@viragomann No, it's not that - these are known pingable devices, and in any event, I can ping them across the VPN from the pfSense GUI.
-
@Bob-Dig Indeed it is! I'm out this evening, but will do a full set of screenshots tomorrow.
-
Home in 'light' theme, office in 'dark' theme.
Here is a successful ping of a device on the office LAN from the home pfSense GUI
Here is a successful ping of a device on the home LAN from the office pfSense GUI
Office > home static route
Office firewall rule (it's just any/any)
Office peers
Home > office static route
Home firewall rule (again, just any/any)
Home peers
-
Here's my LAN firewall rule in case it's relevant - again, it just allows any
And here is what I see if I try and make a random connection (I just telnetted to the unused port 12345) from home to the office.
I'm obviously just missing something spectacularly dumb... but this has me at a loss and I'm not one who normally gives up and asks for help!
-
@stevelup And you have no rules on the WireGuard-Interface-Tab (both sides)?
Please share your WireGuard-Interfaces as well. There you should set 1420 as MTU and MSS.
Your allowed IPs with /31 are wrong, that should be /32 with the IP of the other side of the tunnel but it doesn't look to be related to your actual problem. -
@Bob-Dig Can confirm there are no rules in either WireGuard tab. I followed the advice in Christian McDonald's video and set Interface Group Membership to 'Only Unassigned Tunnels' which means that rule isn't in play anyway. But this was one of my troubleshooting steps after I couldn't get it working.
The /31 came from the official docs:-
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html
But as you say, I don't think that's relevant because the VPN is actually working fine.
I will certainly try changing it though just for the purposes of eliminating a further variable.
Can confirm MTU is set to 1420 at both ends.
-
@stevelup said in Unable to get site-site VPN working:
I will certainly try changing it though just for the purposes of eliminating a further variable.
Please do, could be a potential issue with the documentation there. If you change that, does the gateway monitoring work? It shouldn't work right now...
What clients are we talking about? If it is Windows, turn their firewalls off on both sides just to make sure, because I can't see the problem right now.
-
@Bob-Dig Gateway monitoring is working fine (and always has)
The client devices I'm pinging to/from are Linux boxes with no firewall, and as above, they are pingable from the pfSense GUI
Both the site-to-site and site-to-multisite tutorials on the pfSense docs show a subnet there not a single host, as does Christian's video, but I'll certainly try it.
-
Hi
Many thanks for your continuing assistance.
I did that...
... no change. Gateway monitoring still working both ends, I can ping either direction from pfSense GUI, but not from either LAN.
This feels like a firewall / NAT issue, and not really anything to do with Wireguard.
Steve
-
@stevelup Might be pfSense-magic. If gateway monitoring is already working, nothing to do. But it might be a pfSense only thing.
Firewall/NAT issue... I don't think so because you don't NAT if you have followed the tutorial by Christian. Your VMs running bare metal or?
-
I have a mixture of bare metal and virtualised stuff at both ends, not sure it's relevant.
Network is simple, one single flat /24 on each side.
It's worth pointing out that I can't even ping the remote pfSense gateways which basically rules out anything external as far as I can see.
See below - I can ping 192.168.1.254 from my home pfSense GUI, but not from my home LAN.
This is going to be something spectacularly dumb when I figure out what it is but I just don't understand how to troubleshoot this.
-
@stevelup said in Unable to get site-site VPN working:
I can ping 192.168.1.254 from my home pfSense GUI, but not from my home LAN.
Post the routing tables of all involved devices, please: The one of the LAN machine and of both pfSense nodes.
-
I am so sorry to have wasted your time but I've solved this, and it was complete and absolute muppetry on my behalf.
I had, many months ago, attempted to set this same thing up using an IPsec tunnel. The non-working IPsec tunnel was still set up on one of the devices...
