Problem unreachable Network - OPNsense - RUT240/260 - Wireguard Site2Site

NETWORKING SOLUTIONS
1

Hello,

We have an OPNSense on our internal network behind a router/firewall (Lancom), which is only supposed to make Wireguard connections.

Ports 51820-59999 are port forwarded to the OPNSense on the Lancom.

IP addresses:
Lancom 172.17.0.254
OPNSense 172.17.219.12

The OPNSense doesn’t have a firewall enabled; it’s only connected to the internal network via a network card.

Our problem is that we’ve already set up several Wireguard connections, but not all of them work perfectly. Those connected to a FritzBox via site2site work flawlessly.

However, there are also many connections that have been established, or are supposed to be established, to Teltonika routers. These are RUT240/RUT241/RUT260 routers.

I need support with how to set up the instance, the peer, on both sides (Teltonika and OPNsense).

We have the internal network 172.17.0.0/16. We need connections to external networks (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, etc.).

Here’s a configuration we’re currently using, but it’s not working properly. We can reach the devices on the network, but the return path isn’t stable for some.

OPNSense - 172.12.219.12

Instance - Network01:

Tunnel address: 192.168.15.0/24

Peer - Network01:

Allowed IPS: 192.168.15.0/24
Endpoint Address: dyndns…..
Port: 51820

TELTONIKA RUT240 - 192.168.15.254

Instance - Company

IP Addresses: 192.168.15.0/24
DNS servers: 192.168.15.254, 172.17.219.1

Peer Company:

Endpoint: dns name public
Allowed IPs: 172.17.0.0/16, 192.168.15.0/24
Endpoint port: 51820

Screenshot-Instance-opnsense-1
Screenshot-Instance-opnsense-1902×579 15.1 KB

Screenshot-peer-opnsense-2
Screenshot-peer-opnsense-2904×559 15.5 KB

Screenshot-instance-rut240-3
Screenshot-instance-rut240-31589×785 30.1 KB

Screenshot-instance-rut240-3-2
Screenshot-instance-rut240-3-21181×520 16.7 KB

Screenshot-peer-rut240-4
Screenshot-peer-rut240-41237×535 22.6 KB

Screenshot-peer-rut240-4-2
Screenshot-peer-rut240-4-21239×455 18.1 KB

2

Assuming your Teltonika devices are using an LTE network, then try setting the MTU to 1280 to see if that makes a difference.

3

image
image832×126 6.99 KB

image
image1053×490 22.1 KB

As a suggestion, you dont want a whole subnet e.g. xxx.xxx.xxx.0 / 24 as the Tunnel IP address on the Lancom or Teltonika.

As an example, if the device that acts as a responder (e.g. Lancom) has a tunnel address of 192.168.15.100 / 24 (note this is not a whole subnet) then the initiator (e.g. Teltonika) should have a different IP but on the same subnet e.g. 192.168.15.101 / 24.

So it looks like you’ll have to change this on both the Lancom and Teltonika tunnel config.

You will also need to change your Peer Allowed IP’s to reflect these changes.

The Allowed IP Setting on the Lancom for the RUT Peer should be 192.168.15.101 / 32

The Allowed IP Setting on the RUT for the Lancom Peer should be 192.168.15.100 / 32

Add any other Allowed IP’s that are relevant to your Use Case.

Hopefully the above makes sense as from your description, it wasn’t obvious whether the Wireguard node is on the OPNsense or the Lancom.

1 Like
4

I also note that you have a ‘Persistent Keepalive’ set on both devices. If one device is always the ‘responder’ then set this to 0 (zero), so that it is the responsibility of the ‘initiators’ to start the ‘Keepalive’.

1 Like
5

Hello @Mike,

that was the solution with the different addresses (XXX.XXX.XXX.101 - XXX.XXX.XXX.100).

Apparently, I completely overlooked this for some connections. There are about 40 connections. Some have always worked, and the few that didn’t work correctly had the wrong IP addresses.

MTU is also better, thanks for the tip, as is the keepalive.

All connections now work without any problems…

6

Excellent news … Mike

1 Like
7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.