Welcome to the Home Network Guy forum!

Author Topic: Wireguard Site-to-site with selective routing  (Read 665 times)

ReDaLeRt

  • Newbie
  • *
  • Posts: 2
    • View Profile
Wireguard Site-to-site with selective routing
« on: December 28, 2021, 08:19:16 AM »
Hello.

I followed the tutorial here, as a first troubleshooting step: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/#_

My issue with selective routing is accessing a specific public ip range (213.13.24.0/24) from an Openwrt Site "B" connected site-to-site through an OPNsense Site "A".

Configuring that subnet range on the Site "B" as "allowed ips" to the tunnel, so that Site "B" could access it through the Site "A", it isn't working as expected:

Code: [Select]
tracert 213.13.24.11

Tracing route to 213.13.24.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  OpenWRT.lan [192.168.0.1]
  2    17 ms    14 ms    15 ms  10.0.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.

The site "B" LAN range is 192.168.0.0/24 with tunnel IP 10.0.0.2/32, the Site "A" is 192.168.10.0/24 with tunnel IP 10.0.0.1/32, and the WG tunnel range is 10.0.0.0/24. Both sites are connected to the internet with public IP addresses on their WAN interfaces.

The OPNsense configuration is presented within the attachments bellow.

A half workaround on the site B is to enable masquerading to get selective routing, but blocks site A to access site B:

Code: [Select]
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart

I'm hoping that someone could shed some light into this. :-)

Thanks.

ReDaLeRt

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Wireguard Site-to-site with selective routing
« Reply #1 on: December 28, 2021, 10:03:30 AM »
Additionally, I manage to capture a traceroute from a client on the B site, to the IP range 213.13.24.0/24:

Home Network Guy

  • Administrator
  • Newbie
  • *****
  • Posts: 46
    • View Profile
Re: Wireguard Site-to-site with selective routing
« Reply #2 on: January 10, 2022, 11:08:20 AM »
I personally haven't tried a site-to-site WireGuard VPN with selective routing so I am unable to offer much help but if anyone else who browses the forums has any advice, that would be great.