Home Network Guy Forum

Home Networking => Troubleshooting => Topic started by: ReDaLeRt on December 28, 2021, 08:19:16 AM

Title: Wireguard Site-to-site with selective routing
Post by: ReDaLeRt on December 28, 2021, 08:19:16 AM
Hello.

I followed the tutorial here, as a first troubleshooting step: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/#_

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code: [Select]
tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The OPNsense configuration is presented within the attachments bellow.

A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:

Code: [Select]
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart

I'm hoping that someone could shed some light into this. :-)

Thanks.
Title: Re: Wireguard Site-to-site with selective routing
Post by: ReDaLeRt on December 28, 2021, 10:03:30 AM
Additionally, I manage to capture a traceroute from a client on the B site, to the IP range 213.13.24.0/24:
Title: Re: Wireguard Site-to-site with selective routing
Post by: Home Network Guy on January 10, 2022, 11:08:20 AM
I personally haven't tried a site-to-site WireGuard VPN with selective routing so I am unable to offer much help but if anyone else who browses the forums has any advice, that would be great.