Wireguard tunnel in a site-2-site tunnel

Networking & Firewalls
1

Hey folks

So I have encountered an issue recently with Wireguard that I cannot figure out myself.
We used to have 1 physical site (site A) where all our servers were located. The endpoint would connect to a Wireguard VPN to reach the intranet. We are hosting the Wireguard on a small form factor computer. The Wireguard tunnel has an IP of 10.200.0.1 while the host that is running Wireguard has an IP of 192.168.0.100.

Since a few months we got a second physical site/location (site B). Both of our sites are connected via a site-2-site Wireguard tunnel on the firewall level. Endpoints that are physically present at site A or B can cross access resources of the sites through the the site-2-site VPN. This means the Wireguard host that has an ip of 192.168.0.100 can access site B and site B can access the said host.

Now people that are working remote can only access the resources on site A. How can I make it work so that people that are using an VPN connection to site A can connect to site B through the site-2-site VPN tunnel (so basically a tunnel in a tunnel?). I have tried to add the internal IP’s of site B into the AllowedIPs list in the Wireguard configuration file on the endpoints, but for some reason they are not getting routed and the endpoints cannot access the resources on site B. Does anyone have any idea what I’m doing wrong or missing?

Thank a lot!

2

Did a similiar setup last week, instead of wireguard clients we are using openvpn but the setup should be the same

We are using pfsense at both locations, but you have not told us what firewall you are using, so some of the info may have to be translated to your firewall

On Site B ,

  1. Wireguard peers, you need to add the wireguard network 10.200.0.0/24
  2. On static routes, add static route 10.200.0.0/24 to go down the Wireguard Gateway
  3. If you are blocking traffic between networks, you need to create a rule to allow siteb network access to wireguard (10.200.0.0/24)

On SiteA

  1. Add siteb network address to wireguard peer for remote client setup.
  2. The firewall for the wireguard vpn, needs to be fully open

image
image1151×47 4.99 KB

At both sites the firewall rules for the site to site wireguard should be fully open

image
image1152×117 11.1 KB

On the Wireguard client configuration, check it has both sitea and siteb network address range

1 Like
3

Sounds like a routing issue with site B. Are you running the vpn on the firewall itself or a separate box? You mentioned both ways.

Does site B router know about the full vpn subnet (10.200.0.1/xx)? Presumably everybody else can talk to each other - local users across site A & B.?.

4

This is the answer, and it worked perfectly :slight_smile:
I did not think of adding 10.200.0.0/24 as a peer network and the routing of it on site a, because I thought it was sufficient that 192.168.0.100 (the host that is running the wireguard) had access to site b an vice versa. Would you mind explaining why this was necessary?

Thank you!