Wireguard Site 2 Site Tunnel not connecting
-
Hi,
currently i am facing a strange error.
I am trying to establish a Site 2 Site Tunnel between two pfsense firewalls.
On Site A i have WG0 to Connect to some Servers. There is running Debian and a Wireguard on it.
On Site A i also have WG1 which i would like to Connect to my PFsense in my Office.
WG0 to my servers is working well.
WG1 is not connecting to the other pfsense in the office.On Site B in my Office i have also a Pfsense which is running wireguard on it. The same construction as on site A.
Both pfsense have a public V4 and V6 assigned on the wan interface.
Both devices can ping to each other. Both devices have the same wireguard Port to use the wireguard Tunnel. The Port is open on Both sides.
The strange thing is, neither Site A or Site B is doing a connection attempt to the other Side.
Ive sei the endpoint on Both sites, but the log is still empty.
Is there a known bug or something like that ?
It seems that no device is trying to Connect to the other Side.
The issue is only between two pfsenses. -
@denndsd No bugs any other problems with this type of tunnel, they work very well indeed.
@denndsd said in Wireguard Site 2 Site Tunnel not connecting:
On Site A i have WG0 to Connect to some Servers. There is running Debian and a Wireguard on it.
What do you mean here, do have a WG server in addition to running wireguard in pfsense?
But perhaps if you show your respective settings for the peers on the two sites? Especially the tunnel IP's and the allowed IPs are of importance...
-
Thanks for your reply.
I have two diferent wireguard tunnel instances on my pfsense.
The first instance is running between pfsense and debian servers with a wireguard server installed on it.
The second instance is running between two pfsense firewalls.The first instance is running fine
The second instance is not connecting.
And i did not see no connection attempt from any firewall.
Thats a bit strange.
Site A
Site B
The Port is the same on both sides. The Port is open and is begin logged.
But i cannot see any connection attempt from both sides in the firewall log.
-
@denndsd Hmmm, not really how I have set it up.
The allowed IP normally consist of the tunnel IP, plus the subnet(s) of the remote site. On the second site you have 10.136.19.249 as the only allowed IP, what is that? Is that the tunnel IP?
If so you need the first site to have an interface IP that matches, like 10.136.19.248. Setting 0.0.0.0/0 as allowed Ip is something you may do on a client connecting to a server when you want all traffic to go to and via the server. With a site to site, I'd rather use split tunnel and only have the IP ranges you need and want go via the tunnel.Check out this example: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html
What do your interfaces look like for the connection, on both sides?
This:
It should have a static IP as per the example from the documentation. Typcially a /30 but can be /24 at site A and /32 at site B if you like.And then your static routes? On site A you would have a static route with the LAN subnet of your office, set to go through that tunnel interface.
-
@denndsd
You must configure at least an Endpoint in your peer on one side to establish a tunnel.
As I see in the pictures no Endpoint is correctly configured on both sides. That mean both sides wait for the remote to connect.If "IP-Address" is an Alias, i think it will no work. "IP-Address" is considered as an hostname: are you sure it is resolvable?
Try to put real IP or FQDN instead -
Hi,
thanks for your replies.
Ive just removed the IP Address for security reasons on both sides and set the IP-Address Alias insted.
The endpoint is defined on both sides, so both sides can establish the tunnel.The allowed IP Addresses on Site A is set to 0.0.0.0 and ::/ because i would like to use the site also as default gateway.
So thats the only reason for this.Ive changed the sessings for the allowed ips to a prefix on the side.
But still no connection attempt from both sides. -
For the tunnel SiteA<->SiteB
Site A:
A wan (public IP) with address "IPWAN-A"
A wireguard tunnel wg1 configured with port "PORT-WG1-A"
An interface "TUN-A" assigned to wg1 with a static IP address "IP-TUN-A" and a netmask of your choice (you can use /31 on pfsense (my choice)) + create a gateway "IP-TUN-B" in the same subnet.
A peer for tunnel wg1 with endpoint configured with "IPWAN-B" and port "PORT-WG1-B". Allowed IPs must include gateway "IP-TUN-B" and remote (site B) LANs you allow to cross the tunnel.
A WAN firewall rule that open incoming connections to port "PORT-WG1-A". You can restrict source from "IPWAN-B" for security.
A TUN-A firewall rule to allow remote (B) traffic incoming to ressources available in Site A
A static route for LANs in site B you access via gateway "IP-TUN-B"Site B:
A wan (public IP) with address "IPWAN-B"
A wireguard tunnel wg1 configured with port "PORT-WG1-B"
An interface "TUN-B" assigned to wg1 with a static IP address "IP-TUN-B" and the same netmask you choose for site A + create a gateway "IP-TUN-A" in the same subnet.
A peer for tunnel wg1 with endpoint configured with "IPWAN-A" and port "PORT-WG1-A". Allowed IPs must include gateway "IP-TUN-A" and remote (site A) LANs you allow to cross the tunnel.
A WAN firewall rule that open incoming connections to port "PORT-WG1-B". You can restrict source from "IPWAN-A" for security.
A TUN-B firewall rule to allow remote (A) traffic incoming to ressources available in Site B
A static route for LANs in site A you access via gateway "IP-TUN-A"Check this config first.
-
Yes thats exactly my config with one exeption.
Last Handshake "never"In the log ive seen something "
/usr/local/pkg/wireguard/includes/wg_service.inc: Gateway, NONE AVAILABLE"
The odd thing is, one wireguard tunnel ins online,
the other isnt.The config is exactly the same. But on tun0 my neighbor is a debian vps with wireguard.
-
Ohhh i forgot the gateway.
Its working now.
thank you so much.