Troubleshooting wireguard S2S VPN

theconqueror · February 2, 2024, 7:25pm

Trying to setup a site to site VPN between PFsense and Mikrotik. From behind the PFsense (192.168.10.0/24)I can ping devices behind the Mikrotik (10.0.0.0/24), but not the other way around. Not sure if this is an issue on the Mikrotik or PFsense, but was hoping someone could see whats going on here or at least say that the Mikrotik config looks good. If it makes any difference, I have the Mikrotik only plugged in with the eth2 interface to the home internet router. From the Mikrotik interface I can ping it’s site of the wireguard tunnel, 192.168.32.2, but not the other side of 192.168.32.1

/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridgeLocal \
    port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/interface wireguard peers
add allowed-address=192.168.32.1/30,192.168.10.0/24 comment=HQ \
    endpoint-address=**ELIDED** endpoint-port=**ELIDED** interface=wireguard1 \
    persistent-keepalive=25s public-key="**ELIDED**"
/ip address
add address=192.168.32.2/30 interface=wireguard1 network=192.168.32.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip firewall filter
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
    10.0.0.0/24
add action=accept chain=forward dst-address=10.0.0.0/24 src-address=\
    192.168.10.0/24
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no

TheCat12 · February 5, 2024, 8:25pm

Firstly, it is recommendable to use in the peer settings a /32 netmask for the Wireguard address. Secondly, you should add a new rule that allows the Wireguard port, which you are using from the public IP of the PFsense:

/ip firewall filter
add chain=forward src-address=*public_ip_of_pfsense* protocol=udp dst-port=*wireguard_port* action=accept

After that, restart the peer (disable it and enable it again) and hopefully everything works!

rplant · February 5, 2024, 10:36pm

If that is pretty much the entire configuration (ie. No drop rules in filter) it looks like it should be working.

Double check that the rx, tx and last handshake counters in the wireguard peer are all non zero.
(Seems likely that is also ok, given you can ping the 10.0.0.0/24 from the PFSense, but check anyway)

If ok, it seems likely the pfsense is dropping the traffic.

rplant · February 5, 2024, 11:23pm

One (major) issue.

Unless the mikrotik is the networks default gateway, nothing on the network will be attempting to
send packets destined for head office to the Mikrotik, they will send them to the home internet router.

(Unless they have appropriate static routes installed)