Site to site pfsense with wireguard

I found that Lawrence Systems has a youtube video about site to site wireguard but is marked private. I followed 2 different videos and went to pfaense for their guide.

I have been able to set up a connection between 2 sites. I have green hand shaking hands and can connect to the remote pfsense box. However i am apparently missing a small step, probably firewall setting that is blocking me from the remote site lan.

From “site 1” 192.168.40.0/24 i can get to the router at “site 2” on 192.168.10.1 but not my servers on 10.4 and 10.10

Any help on what i assume is a quick “add this rule” or is there more information needed?

I have not made a new video yet and the old one is not relevant to the changes. This video covers how to do it and you may be missing some rules or the static routes.

I didnt want to link another guys video, but that is the one i followed. Maybe i will delete everything out and start fresh.

Have you also read up on Netgate’s documentation? They do provide a good WireGuard Site-to-Site VPN Configuration Example in their documentation. And from what it sounds like, is you’re missing or have a misconfigured static route and or a firewall rule blocking access.

Tomorrow i will delete out everything and start fresh, I had referenced that guide as well, thank you for pointing out that as well.

When on LAN 2 i Ping pfsense router on LAN 1, i get 4 good packets:
Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=83ms TTL=63

When on LAN2 and I ping the server on LAN 1, I get:
Pinging 192.168.10.4 with 32 bytes of data:
Reply from 10.100.40.0: Destination host unreachable.

If I change Firewall/[Rules]/[WIREGUARD]
show advanced / Gateway
to default i get
Pinging 192.168.10.4 with 32 bytes of data:
Request timed out.

I feel like this firewall rule should be the wireguard gateway as i feel “Destination host unreachable.” is better than just “request timed out.”

But like i said tomorrow i will just wipe everything and start fresh, there has to be something simple i am missing.

Christian McDonald is a developer and Netgate/pfsense so his videos are VERY accurate.

I have now deleted out all of wireguard and re did site to site with open vpn. I have the same problem site 1 can see site 2 router, but cant get past router into the LAN.

Can someone drop some hints on a fire wall rule for connecting a tunnel IP address to a LAN network.

Site 1 is 192.168.10.0/24
Site 2 is 192.168.40.0/24
Tunnel is 192.168.20.0/24

There is a lot of information missing to be able to properly help. Because if you’re experiencing the same thing. It sounds like not only do you not have a proper routing setup. It also sounds like there’s still a misconfiguration and you’re not even going through the tunnel. So I have a lot of questions. I’ll skip the ones about your setup for now.

General Wireguard Questions

1. Have you assigned your interfaces for Wireguard?
2. Is your Interface Group Membership for Wireguard set to Only Unassigned Tunnels?
3. On, Site 1 what have you set for your Gateway?
4. On, Site 1 what have you set for your Static Route?
5. On, Site 2 what have you set for your Gateway?
6. On, Site 2 what have you set for your Static Route?

Firewall Rules

1. Do you have the UDP WireGuard Ports open on the WAN?
2. What rules do you have set for your assigned individual interfaces for Wireguard?
3. Are you allowing Wireguard traffic through on your VLAN or LAN interface rules?

I have had OpenVPN setup for about a year now. My laptop, tablet, and my phone can connect through OpenVPN 2 different ways, keeping their remote IP or using my home servers IP address. I have done my best to make sure the OpenVPN attempt matched the 2nd OpenVPN server i have been using for a while. Apparently laptop to Lan is easier than Lan to Lan (Site to Site)

Currently site 2 can connect to site 1 router on 192.168.10.1 but not a computer on 192.168.10.4 or 192.168.10.10

General Wireguard Questions

1. Interfaces are assigned. Called WIREGUARDTUNN on both sides.
2. Both sides are set for Only Unassigned Tunnels

see attached photo. Had it really nice and clear but apparently new users can only upload 1 pic so it is all merged. Let me know if this is enough I would really like to get this to work. Site 2 is fresh install only plugged in for 5 days. Site 1 is 2+ years old and a ton of settings.

all1920×1641 253 KB

Apologies for getting back later than anticipated. It took a while to look over the information. I need just a little more information to help guide you to your issue. Based on your first post you mentioned the IP address range for Site 1 and Site 2.

Can you confirm that
Site 1 LAN is: 192.168.40.0/24
Site 2 LAN is: 192.168.10.0/24

Also, please confirm for the tunnel which site is which. I am assuming that the dark theme is Site 2 but I would like to be sure rather than just assuming.

Tunnel Site 1: 10.100.40.0
Tunnel Site 2: 10.100.40.1

I have gone through the information/picture you have provided. And can tell you it’s not a firewall issue. I have narrowed down the possible cause but please confirm the above questions. This way I can confirm I’m not providing you with the wrong guidance.

Site 1 lan 192.168.10.0/24
Site 1 tunnel is 10.100.40.0
Site 1 White

Site 2 lan 192.168.40.0/24
Site 2 tunnel 10.100.40.1
Site 2 Dark

The tunnel is setup as 10.100.40.0/31

Working / Not working.
Site 2 can now connect to site 1 LAN. Can connect Site 2 to 192.168.10.4 and 192.168.10.10 with great speeds. really happy.
I changed

1. Interfaces / WireGuardTunn / Static IPv4 Configuration / IPv4 Upstream gateway:
   “WireGuardGate - 10.100.40.1” instead of NONE. on both sides.
2. Interfaces / Interface Groups / BridgeInterface
   Apparently anything that has access to the LAN needs to be in this bridge group:
   LAN2, LAN3, BRIDGE0, LAN4, LAN5, 10GLAN1, 10GLAN2, 40GLAN1, 40GLAN2, TUNNELIP, WIREGUARDTUNN
3. Interfaces / Bridges / BRIDGE0
   Same as previous step everything is in here.

Now like i said with those 3 steps added to both sides Site 2 can connect to Site 1 LAN Perfectly.

Broken:
Now computers on Site 1 LAN No longer have access to their own LAN. They connect to the internet perfectly. But (EMBY)192.168.10.4 cannot talk to (FREENAS)192.168.10.10

I have spent all day trying to see what i messed up getting SITE to SITE to work and breaking my home LAN at the same time.

If devices can no longer access other devices on their own LAN. You have created a routing issue with one of your steps. Check your routing table to see where things are routing from and to.

If you have watched the video posted by @LTS_Tom Site to site pfsense with wireguard - #2 by LTS_Tom Christian says that you should not do what you did in Step 1. Setting an upstream gateway on your WG interface will make things appear that the source is coming from the tunnel interface and not your LAN interface.

I’m not sure why you are bridging your WG tunnel. Wireguard is an L3 and Bridging is an L2. I suggest that you undo everything you changed. Remember pfSense FW order is:

1. Floating Rules
2. Interface Group Rules
3. Interface Rules

I have a few questions for you.
Site 1:
For your Gateway settings, did you set your default GW to your main GW?
For Peer Settings, is this your current configuration?
Endpoint: WAN IP 51825 (Site 2 WAN)
Allowed IP’s
10.100.40.0/31 - Allow Transit Network
192.168.40.0/24 - Allow Site 2 Network

Site 2:
For your Gateway settings, did you set your default GW to your main GW?
For Peer Settings, is this your current configuration?
Endpoint: WAN IP 51825 (Site 1 WAN)
Allowed IP’s
10.100.40.0/31 - Allow Transit Network
192.168.10.0/24 - Allow Site 1 Network

Thanks for getting back with me. I took a couple days to travel and returned home.

I know Christian said not to, but reading the caption and well it wasn’t working anyways, seemed like it was worth a shot. The note for that setting is as follows:
“If this interface is an Internet connection, select an existing Gateway from the list or add a new one using the “Add” button.
On local area network interfaces the upstream gateway should be “none”.”

I took WG out of the bridging tunnel, and removed the upstream gateway. Back to not working. Set the upstream gateway and it is now working. So both sides have the upstream gateway set, neither side have the WG in their bridging tunnel. LAN site 1 works and LAN site 2 never lost theirs. All appears to be great. My laptop can openVPN to site 1 and connect to site 2 servers. Site 1 and Site 2 can talk back and forth. Several settings are different than Christians video, but at this point I don’t even know what was changed to work. Formatted Site 2 pfsense box and started over, and just started changing settings. Thanks for all your help.

Site 1: Default gateway is 10.100.40.1
I am using 51825 on both sides.
Allowed IPs are
10.100.40.0/31 - Allow Trust Tunnel
192.168.40.0/24 - Allow Site 2 Network

Site 2
Gateway 10.100.40.0
Peer settings 51825
Allowed IP’s
10.100.40.0/31 - Allow Trust Tunnel
192.168.10.0/24 - Allow Site 1 Network

Glad to hear it’s working. Some of my settings are slightly different than his as well. But that’s due to how I have things set up.