Hello,
I am having some trouble trying to use wireguard to setup a site-to-site
vpn tunnel between two OpenBSD 6.7/current routers. They are both
updated to the latest snapshot as of 7/11/2020.
I have no trouble at all setting up a client/server type connection to
either router, where I can either route all traffic through the router
or split tunnel and only route traffic for networks behind the router.
Where I am struggling is getting the networks behind the routers to
communicate with each other over a tunnel. Each router has multiple
subnets behind it and I intend to control which particular IPs are
allowed access to devices on the far ends of the wireguard tunnel using
PF rules but I'm just focused on one entire subnet on each end at this
time and can't even get that working.
My basic network topology for this first step is this.
Router A private subnet range: 10.212.20.0/24
Router A wireguard interface IP: 10.0.11.1
Router B private subnet range: 192.168.8.0/21
Router B wireguard interface IP: 10.0.11.2
What I am trying to accomplish is to have Router B "phone home" to
Router A and maintain a persistent tunnel with KeepAlive packets. Any
device on the 10.212.50.x subnet behind router A should be able to reach
any device on the 192.168.8.x subnet behind Router B.
Router A wg11.conf contents are:
[Interface] #RouterA
PrivateKey = RouterAprivatekey=
ListenPort = 51811
[Peer] #RouterB
PublicKey = RouterBpublickey=
AllowedIPs = 192.168.8.0/21, 10.0.11.0/24
Router A hostname.wg11 contents are:
inet 10.0.11.1 255.255.255.0
!/usr/local/bin/wg setconf wg11 /etc/wireguard/wg11.conf
In the Router A pf.conf file I have these relevant rules, which will be
tightened up once I get the tunnel working but are as open as possible
to try to get something working:
Wireguard wg11 VPN Connection Rules
pass in quick on egress inet proto udp from <RouterBIP> to port 51811
# Wireguard wg11 Traffic Rules
pass quick on wg11
Router B wg11.conf contents are:
[Interface] #RouterB
PrivateKey = RouterBprivatekey=
[Peer] #RouterA
PublicKey = RouterApublicKey=
AllowedIPs = 10.0.11.0/24, 10.212.20.0/24
Endpoint = FQDN_for_RouterA:51811
PersistentKeepalive = 25
Router B hostname.wg11 contents are:
inet 10.0.11.2 255.255.255.0
!/usr/local/bin/wg setconf wg11 /etc/wireguard/wg11.conf
In Router Bs pf.conf file I have these relevant rules, which will be
tightened up once I get the tunnel working but are as open as possible
to try to get something working:
# Wireguard VPN Connection Rules
pass out quick on egress inet proto udp to <RouterBIP> port 51811
# Wireguard wg11 Traffic Rules
pass quick on wg11
I brought up each interface with: doas sh /etc/netstart wg11
I can ping 10.0.11.2 from router A. I cannot ping 10.0.11.1 from router
B. Running tcpdump on router A shows the ping requests coming in on the
external interface but no reply going back out.
When I 'route show' on either router, I do not see the extra subnet
specified in "allowed IPs" anywhere in the routing table. I cannot ping
any other devices on the far subnets or even any other interfaces on the
far router from either end.
I am seeing the keepalive packet on Router A every 25 seconds, so this
is working at least.
I've tried generating new all new keys, tried destroying all interfaces
and config files and starting over, tried changing the "allowed IPs to
/32 targeting specific hosts that I know will respond to connection
attempts, and none of this seems to matter. Nothing seems to be getting
routed across the tunnel other than direct pings of the opposite routers
wireguard interface, and even in that case it only works correctly one
way. I feel like I must be missing something really obvious but hours of
reading google search results and experimenting with other settings
seems to make any difference. If anyone sees any issues in my setup and
would be willing to share some advice i would greatly appreciate it!
