Thank you so much for this tutorial. It helped me get my site-to-site working, both with dynamic IP's, where the OPNSense documentation was insufficient. Note to others, this video is a little out of date with the current version of OPNSense, so some of the terminology has changed, but I followed it the best I could and it "just worked" which is great. In my case it worked without the gateways at the end.
Don't know if it was me missing it or something with OpnSense 22.1 but until I added the gateways my site to site tunnel refused to work. A lot of the guides I used didn't include that part. Thanks a ton, this video saved me a lot of headache.
I found that there are fragmentation/packet loss issues when using wireguard in a site to site configuration (maybe other too). I was able to fix it by setting MSS to 1380 on the wireguard interface.This will ensure your packets are frag/resassembled prior to be sent. No need to change the MTU in the advanced local section unless you're using PPPoE or other encapsulation on your WAN.
Ver nice Tutorial indeed. Clean one, but I have a question, if I have RoadWariors setup as wireguard vpn for my clients on SiteA along side site to site.. How can my vpn client reach to SiteB using the wireguard VPN configured on Site A
Thank you for a fantastic video. I successfully got a tunnel going between my home running OPNsense and a AWS EC2 server running OPNsense. The only thing I cannot figure (spent 14 hours so far trying every option I can think of) is to port forward from the public IP on the AWS server to machine on my home network through the tunnel. I've made sure the instance on AWS has the correct inbound rule for the port I want to use. On the AWS OPNsense server (SiteA), I can ping the machine on my home network with the WG_S2S_SITEB interface but I cannot ping the home machine from the WAN interface. I've added everything single NAT port forward and firewall I can think of but there is something I'm missing. This is doing my head in! Any hints would be greatly appreciated.
can you make a HA proxy Tutorial? For some reason I understand it more the way you explain it than the other video tutorials with the same topic. and also personally what do you really use PFSense or OPNSense?
Thank you for your kind words. I was thinking to make HAProxy or NGINX reverse proxy tutorial, keep an eye on the channel, I might release one of those soon. At the moment I switched to OPNSense full time (with occasional OpenWRT install here and there).
The gateway definition isn't required, and the allowed IPs of the 10.0.0.0/24 you added should be just the 10.0.0.1/32 of the otherside for example For example if you do 10.0.0.0/24 and thn you add a third site, you can't then do 10.0.0.0/24 again as that would cause a conflict. If Disabled routes isn't checked, the allowedIps from the peers get added in to OPNsense routing table so unless you disable routes, for S2S configs gateways aren't required. 😊
Thanks for your comment :) Gateway is required, if you want to create a semi-star topology (site-to-multisite), or add any static Routes on the opposite side. For the subnets, you might be just right, I don't quite remember what I used in the video :)
@@GatewayITTutorials even with star (hub and spoke) it's not required. If you push traffic over wireguard and the other end gets traffic from a peer which isn't on its AllowedIP list it'll drop the traffic. I have 4 OPNsense firewalls in mesh design with a 5 which is hub n spoke since it's not a "main site". All about getting the Allowed IPs right 🙂 You do need to use gateways if you use the disable routes option, and then you use gateways to direct the traffic over the tunnel. This setup you would use if you wanted to interact with a VPN provider 🙂. Since you want to route the whole IPv4 range but you don't want to replace OPNsense's default route (resulting in 0.0.0.0/0. allowedIPs), so you Check Disable routes and then control the traffic with a gateway to the VPN server and gateway policies to direct clients to use that gateway 🙂 From the white paper "wg0 receives an encrypted packet, after decrypting and authenticating it, it will only accept it if its source IP resolves in the table to the public key used in the secure session for decrypting it. For example, if a packet is decrypted from xTIB...qp8D, it will only be allowed if the decrypted packet has a source IP of 10.192.122.3 or in the range of 10.192.124.0 to 10.192.124.255; otherwise it is dropped."
What do you mean? It's hard to follow, sorry. Is it this, you are trying to ahieve? Lan WG OPNsense Lan WG OPNsense2 or this: Public non-static IPv4 WG OPNsense Public non-static IPv4 WG OPNsense2
So it is possible to have the satellite locations have 2 wan interfaces and allow the remote OpnSense firewalls to fail from WAN1 or WAN2 back to the hub firewall? I have many clients that I use OpnSense and they have dual WAN connections and it would be great to be able to allow the spokes (Remote locations) to fail over or behave like clients so that the VPN will continue to function if the primary wan goes down.
OpenVPN is capable of this on OPNSense by default, but WireGuard isn't. As a workaround, create 2 DNS A records, with the same name, but 2 different IPs. This would not give you a fine grained control over the failover and whatnot, but it's worth giving a shot. I have a couple more ideas, if you are interested, drop me an email, or create a post in our Reddit community. Otherwise, use IPSec or OpenVPN, where this functionality is present by default.
@@GatewayITTutorials The only problem is Open VPN performance is even worse many different types of Ikev2. I have been testing the different performance levels using either IP sac or open VPN and wire guard with client VPn. I can get upwards of 10 to 15 Mb on open VPN. 20 Mb on IPSec But I’m wire guard I was getting 98 Mbit downloads. I also have some vendors that do not support open VPN but may be open to supporting wireguard.
@@GatewayITTutorials I have struggled to accomplish this with IP sec on OPNsense And would love to see an article on how to do this as whenever I have posted request for this even on there for him the response tends to be miserable. If you have a tutorial or if I need to post on the Redwood site I am more than happy to do that. Appreciate the quick response that you provided. Thank you
@@GatewayITTutorials thank you that would be awesome. It’s too bad that wire guard does not seem to be able to behave as a client on the firewall no open VPN can. That would definitely solve the problem possibly if used in conjunction with allowing gateway switching. But being able to do this with Ivy sack and having it documented would be huge. It’s the reason why I ended up giving up and started purchasing untangle firewalls. I was planning on replacing the existing 30 to 40 OPNsense and pfSense Firewalls that I have out there in production.
How would you route a specific public IP range from site "B" via site "A"? Which firewall rules/NAT would you apply on each side (besides configuring that said allowed ip range on the Site "B" endpoint)?
It's called selective routing: create an alias that covers such IP range, then create a firewall rule (first in the list, if you want to avoid conflicts) with source as any and destination IP range alias, then specify you WG server as a gateway. That's it, at this point everything should be working.
@Gateway IT Tutorials, why setting the WG server as a gateway, as I created already another one from this tutorial? Are you refering the Site "B", for that said firewall rule?
Exactly right :) You already have the gateway, now just use it in a firewall rule, and the destination must be your IP range. You might need to edit outbound NAT too, but that's case specific, I can't tell you for sure, unless I see the setup.
@@GatewayITTutorials , I configured an assignment for the interface wg0. Therefore, the outbound NAT is automatically configured with "Hybrid NAT rules" enabled. Is that correct?
![[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)](http://i.ytimg.com/vi/b58PpuIsQ3A/mqdefault.jpg)
Thank you so much for this tutorial. It helped me get my site-to-site working, both with dynamic IP's, where the OPNSense documentation was insufficient. Note to others, this video is a little out of date with the current version of OPNSense, so some of the terminology has changed, but I followed it the best I could and it "just worked" which is great. In my case it worked without the gateways at the end.
Don't know if it was me missing it or something with OpnSense 22.1 but until I added the gateways my site to site tunnel refused to work. A lot of the guides I used didn't include that part. Thanks a ton, this video saved me a lot of headache.
Thank you so much for this awesome tutorial! I come back to this every time I have to setup a VPN with OPNsense.
Great tutorial! A little remark. If the firewall is located behind a router, you still have to pass the port through in the rules for the WAN
thanks, good guide
I found that there are fragmentation/packet loss issues when using wireguard in a site to site configuration (maybe other too). I was able to fix it by setting MSS to 1380 on the wireguard interface.This will ensure your packets are frag/resassembled prior to be sent. No need to change the MTU in the advanced local section unless you're using PPPoE or other encapsulation on your WAN.
absolutely brilliant video mate. Thanks so much.........best video ive seen on youtube for a long time.
Красава!) Контент интересный у тебя 👍
I have add a vpn client to site B, with the client is possible to access to the site A via the vpn site to site
Great tutorial! That is what I was looking for since a long time 👍🏻
Curious why floating rules and not wan interface for WireGuard ports ? We are using mesh and using them on the wan instead of the floating
Ver nice Tutorial indeed. Clean one, but I have a question, if I have RoadWariors setup as wireguard vpn for my clients on SiteA along side site to site.. How can my vpn client reach to SiteB using the wireguard VPN configured on Site A
Thanks :)
I am using static routes and outbound NAT to get that to work :)
Thanks, spot on!
Thank you for a fantastic video. I successfully got a tunnel going between my home running OPNsense and a AWS EC2 server running OPNsense. The only thing I cannot figure (spent 14 hours so far trying every option I can think of) is to port forward from the public IP on the AWS server to machine on my home network through the tunnel. I've made sure the instance on AWS has the correct inbound rule for the port I want to use. On the AWS OPNsense server (SiteA), I can ping the machine on my home network with the WG_S2S_SITEB interface but I cannot ping the home machine from the WAN interface. I've added everything single NAT port forward and firewall I can think of but there is something I'm missing. This is doing my head in! Any hints would be greatly appreciated.
Reverse routing is not working. You would need to setup the outbound NAT.
can you make a HA proxy Tutorial? For some reason I understand it more the way you explain it than the other video tutorials with the same topic. and also personally what do you really use PFSense or OPNSense?
Thank you for your kind words.
I was thinking to make HAProxy or NGINX reverse proxy tutorial, keep an eye on the channel, I might release one of those soon.
At the moment I switched to OPNSense full time (with occasional OpenWRT install here and there).
@@GatewayITTutorials I can't wait ;)
Do you need to create a seperate Local and Endpoint pair for each site you add? As in a multisite to multisite VPN?
Yes, you have to.This is how WG peer2peer connections work, unless you want to create a star topology and route everything through one/few node(s).
The gateway definition isn't required, and the allowed IPs of the 10.0.0.0/24 you added should be just the 10.0.0.1/32 of the otherside for example
For example if you do 10.0.0.0/24 and thn you add a third site, you can't then do 10.0.0.0/24 again as that would cause a conflict.
If Disabled routes isn't checked, the allowedIps from the peers get added in to OPNsense routing table so unless you disable routes, for S2S configs gateways aren't required. 😊
Thanks for your comment :)
Gateway is required, if you want to create a semi-star topology (site-to-multisite), or add any static Routes on the opposite side.
For the subnets, you might be just right, I don't quite remember what I used in the video :)
@@GatewayITTutorials even with star (hub and spoke) it's not required.
If you push traffic over wireguard and the other end gets traffic from a peer which isn't on its AllowedIP list it'll drop the traffic.
I have 4 OPNsense firewalls in mesh design with a 5 which is hub n spoke since it's not a "main site". All about getting the Allowed IPs right 🙂
You do need to use gateways if you use the disable routes option, and then you use gateways to direct the traffic over the tunnel. This setup you would use if you wanted to interact with a VPN provider 🙂. Since you want to route the whole IPv4 range but you don't want to replace OPNsense's default route (resulting in 0.0.0.0/0. allowedIPs), so you Check Disable routes and then control the traffic with a gateway to the VPN server and gateway policies to direct clients to use that gateway 🙂
From the white paper
"wg0
receives an encrypted packet, after decrypting and authenticating it, it will only accept it if its source IP resolves
in the table to the public key used in the secure session for decrypting it. For example, if a packet is decrypted
from xTIB...qp8D, it will only be allowed if the decrypted packet has a source IP of 10.192.122.3 or in the range
of 10.192.124.0 to 10.192.124.255; otherwise it is dropped."
hi,
does the wirequard site2site vpn works with dynamic dns adresses or dns names?
Good
hi,
i need some video with pfsense to opnsense.
How do you work around the problem not using the external wan ip addresses for your endpoints?
What do you mean? It's hard to follow, sorry.
Is it this, you are trying to ahieve?
Lan WG OPNsense Lan WG OPNsense2
or this:
Public non-static IPv4 WG OPNsense Public non-static IPv4 WG OPNsense2
So it is possible to have the satellite locations have 2 wan interfaces and allow the remote OpnSense firewalls to fail from WAN1 or WAN2 back to the hub firewall? I have many clients that I use OpnSense and they have dual WAN connections and it would be great to be able to allow the spokes (Remote locations) to fail over or behave like clients so that the VPN will continue to function if the primary wan goes down.
OpenVPN is capable of this on OPNSense by default, but WireGuard isn't.
As a workaround, create 2 DNS A records, with the same name, but 2 different IPs.
This would not give you a fine grained control over the failover and whatnot, but it's worth giving a shot.
I have a couple more ideas, if you are interested, drop me an email, or create a post in our Reddit community.
Otherwise, use IPSec or OpenVPN, where this functionality is present by default.
@@GatewayITTutorials The only problem is Open VPN performance is even worse many different types of Ikev2. I have been testing the different performance levels using either IP sac or open VPN and wire guard with client VPn. I can get upwards of 10 to 15 Mb on open VPN. 20 Mb on IPSec But I’m wire guard I was getting 98 Mbit downloads. I also have some vendors that do not support open VPN but may be open to supporting wireguard.
@@GatewayITTutorials I have struggled to accomplish this with IP sec on OPNsense And would love to see an article on how to do this as whenever I have posted request for this even on there for him the response tends to be miserable. If you have a tutorial or if I need to post on the Redwood site I am more than happy to do that. Appreciate the quick response that you provided. Thank you
I might do a write-up on this in the next few weeks, because you are not alone out there with this issue.
@@GatewayITTutorials thank you that would be awesome. It’s too bad that wire guard does not seem to be able to behave as a client on the firewall no open VPN can. That would definitely solve the problem possibly if used in conjunction with allowing gateway switching. But being able to do this with Ivy sack and having it documented would be huge. It’s the reason why I ended up giving up and started purchasing untangle firewalls. I was planning on replacing the existing 30 to 40 OPNsense and pfSense Firewalls that I have out there in production.
Is it necessary to setup NAT for the WG tunnel?
No, it's not necessary. Just open a port on the WAN side.
How would you route a specific public IP range from site "B" via site "A"? Which firewall rules/NAT would you apply on each side (besides configuring that said allowed ip range on the Site "B" endpoint)?
It's called selective routing: create an alias that covers such IP range, then create a firewall rule (first in the list, if you want to avoid conflicts) with source as any and destination IP range alias, then specify you WG server as a gateway. That's it, at this point everything should be working.
@Gateway IT Tutorials, why setting the WG server as a gateway, as I created already another one from this tutorial?
Are you refering the Site "B", for that said firewall rule?
Exactly right :)
You already have the gateway, now just use it in a firewall rule, and the destination must be your IP range.
You might need to edit outbound NAT too, but that's case specific, I can't tell you for sure, unless I see the setup.
@@GatewayITTutorials , I configured an assignment for the interface wg0. Therefore, the outbound NAT is automatically configured with "Hybrid NAT rules" enabled. Is that correct?
Won't work, the System -> Gateways -> Single setting keep the IP address to dynamic, this rule will keep Pending and never Enable....OPNsense 27.3
not working for me. did exaclty the same