Wireguard Site to Site Issues

Comments

6 comments

  • Avatar
    Firewalla

    How are you setting up the site to site? is it just remote access VPN using the WireGuard client? 

    0
    Comment actions Permalink
  • Avatar
    Mason

    If I had to guess, you probably have the "internet" configuration for the site to site connection set to vpn, and on the remote side there's a firewall (or the gateway itself) that's blocking your local subnets from using it to connect to the internet effectively (either intentionally or from an unintended configuration) .

    If you don't need "all" traffic to go through the remote server's gateway, I recommend flipping the "Internet" switch in your FWG to "Direct", which means that only traffic intended for the listed subnets will use the vpn, while everything else uses your local gateway as normal (ie a split-tunnel vpn).

    If you do need all your traffic to go through the vpn (so it all appears to the internet as though it originates from the remote site), then you have some troubleshooting to do with the remote site to figure out where the blocks are occurring.

    0
    Comment actions Permalink
  • Avatar
    Goomba

    Hi Mason, appreciate the reply. That makes perfect sense, I'm used to Wireguard only routing to the remote subnets that I've set in the config, but if it's actually routing all traffic to the remote network then it makes sense why I'm having these issues.Unfortunately in my app I don't seem to have the toggle switch you circled, so I can't choose Direct. Unless I'm looking in the wrong location? I'm going into "VPN Client" then choosing my Wireguard profile. I just tried updating my app to the Beta on Android but that internet toggle is still missing.

     

    @Firewalla, yes that is correct, I'm just using the VPN Client with the 3rd Party VPN option using Wireguard. As discussed above with Mason, I expected only traffic to my specified remote subnets to route over the VPN, not all traffic. Any idea why I don't have the "Internet" toggle switch that Mason has, to change that?

    0
    Comment actions Permalink
  • Avatar
    Mason

    Ah, ok, you're not using the 2 firewalla site to site, that's where you would see the above UI options.

    For the more direct wireguard peer configuration like in your screenshot above, the configuration you're looking for is the "Allowed IPs" in the Peer section (not the Interface section). This AllowedIPs should be 0.0.0.0/0, ::/0 if you want a full tunnel (all traffic goes through the vpn), or a comma separated list of subnets for specifically the network on the remote side of the connection you want to access through the vpn for split tunnel.

    0
    Comment actions Permalink
  • Avatar
    Goomba

    That's exactly how I have it, the allowed IP's I have set are the remote private subnets e.g 192.168.1.0/24.

    I can hit the servers in that IP Range, but I'm still getting the weird internet issues. It seems like a bug. 

    I do have 2 peers in the one config, which has never been an issue for me before but perhaps I'll split out each peer into their own profiles to test individually. That said this is the same config I used on my old router without issue. 

    I have a separate profile that is working perfectly for full internet passthrough (0.0.0.0/0), it just seems to be an issue with the split tunneling.

    0
    Comment actions Permalink
  • Avatar
    Goomba

    Mason, you were on the money. I just updated my Firewalla to the beta version (the app and the box) and now I have the internet toggle for Wireguard. Toggled it to "Direct" and boom all is working as expected. Thanks for your help.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.