SitetoSite VPN met Wireguard tussen Unifi Express en pfSense

Hoi allemaal,

dit is weer zo'n probleem waar ik vrijwel zeker weet dat ik iets over het hoofd zie en er 99% al ben, maar voor dat laatste % zou ik dus hulp van jullie kunnen gebruiken.

Ik wil twee sites ("Nederland" en "Brazilië") via VPN middels Wireguard verbinden met als doel dat er een transparant site-to-site verbinding bestaat, dwz dat ik vanuit iedere site alle diensten op de andere site kan benaderen. Helaas ondersteund Unifi voor Site-to-Site nog geen Wireguard via de UI, maar het moet ook anders kunnen.

Sites

Nederland
Het "hoofdnetwerk" is 192.168.1.0/24.
Nederland draait een pfSense 2.7.2 op een VM, WAN IP van de pfSense is 192.168.1.233, LAN IP van de pfSense is 192.168.5.6 (dit is een VLAN) en Wireguard heeft heeft het netwerk 192.168.200.0/24.

Het Probleem

De verbinding met Wireguard komt tot stand, en vanuit Nederland (dus achter de pfSense) kan ik in Brazilië bereiken en alles op 192.168.99.0/24 benaderen. Dus de tunnel op zicht werkt prima.

Echter, de andere kant op lukt het niet zo goed, ik kan vanuit Brazilië niks in Nederland bereiken, nog niet eens de IP van de Wireguard server op de pfSense (192.168.200.1), pings leiden allemaal tot timeout met 100% packet loss, ook vanuit de Unifi Express zelf.

Ik heb voor de lol al de firewall op de pfSense geheel uitgezet (met pfctl -d), maar dat maakt ook geen verschil. Aangezien er vanuit Nederland naar Brazilië alles werkt maar andersom niet ben ik geneigd te denken dat het probleem aan de Nederlandse kant zit (op de pfSense dus), maar zeker ben ik er zeker niet van.

Detail nog, mocht het uitmaken: Brazilië zit achter CG-NAT.

code:

12345678

root@UniFi-Express:~# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface100.71.0.0 0.0.0.0 255.255.224.0 U 0 0 0 eth1192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 wgsrv1192.168.3.2 0.0.0.0 255.255.255.255 UH 0 0 0 wgsrv1192.168.99.0 0.0.0.0 255.255.255.0 U 0 0 0 br0192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 wgclt1

code:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475

root@UniFi-Express:~# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 96:2a:6f:10:86:97 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 36:28:96:6b:7c:9b brd ff:ff:ff:ff:ff:ff3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1 link/gre 0.0.0.0 brd 0.0.0.04: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff5: ip_vti0@NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1 link/ipip 0.0.0.0 brd 0.0.0.06: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1 link/tunnel6 :: brd ::7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1 link/sit 0.0.0.0 brd 0.0.0.08: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1 link/tunnel6 :: brd ::9: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN group default qlen 1000 link/ether 94:2a:6f:10:86:97 brd ff:ff:ff:ff:ff:ff10: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 94:2a:6f:10:86:98 brd ff:ff:ff:ff:ff:ff inet 100.71.6.61/19 scope global dynamic eth1 valid_lft 8998sec preferred_lft 8998sec inet6 fe80::962a:6fff:fe10:8698/64 scope link valid_lft forever preferred_lft forever11: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32 link/ether 32:b5:7e:61:be:60 brd ff:ff:ff:ff:ff:ff12: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32 link/ether 56:2e:fe:09:7e:54 brd ff:ff:ff:ff:ff:ff13: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 94:2a:6f:10:86:97 brd ff:ff:ff:ff:ff:ff inet 192.168.99.1/24 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::962a:6fff:fe10:8697/64 scope link valid_lft forever preferred_lft forever14: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 8191 link/ieee802.11 94:2a:6f:10:86:99 brd ff:ff:ff:ff:ff:ff15: soc0: <> mtu 0 qdisc noop state DOWN group default qlen 1 link/ieee802.1116: wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 8191 link/ieee802.11 94:2a:6f:10:86:9a brd ff:ff:ff:ff:ff:ff17: soc1: <> mtu 0 qdisc noop state DOWN group default qlen 1 link/ieee802.1118: ath0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 94:2a:6f:10:86:99 brd ff:ff:ff:ff:ff:ff inet6 fe80::962a:6fff:fe10:8699/64 scope link valid_lft forever preferred_lft forever19: ath1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 9a:2a:6f:10:86:99 brd ff:ff:ff:ff:ff:ff inet6 fe80::982a:6fff:fe10:8699/64 scope link valid_lft forever preferred_lft forever20: vwire2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 9e:2a:6f:10:86:99 brd ff:ff:ff:ff:ff:ff21: ath3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 94:2a:6f:10:86:9a brd ff:ff:ff:ff:ff:ff inet6 fe80::962a:6fff:fe10:869a/64 scope link valid_lft forever preferred_lft forever22: ath4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 9a:2a:6f:10:86:9a brd ff:ff:ff:ff:ff:ff inet6 fe80::982a:6fff:fe10:869a/64 scope link valid_lft forever preferred_lft forever23: vwire5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default link/ether 9e:2a:6f:10:86:9a brd ff:ff:ff:ff:ff:ff24: wgclt1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1 link/none inet 192.168.200.10/24 scope global wgclt1 valid_lft forever preferred_lft forever25: wgsrv1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1 link/none inet 192.168.3.1/24 scope global wgsrv1 valid_lft forever preferred_lft forever

code:

root@UniFi-Express:~# ip route show100.71.0.0/19 dev eth1 proto kernel scope link src 100.71.6.61192.168.3.0/24 dev wgsrv1 proto kernel scope link src 192.168.3.1192.168.3.2 dev wgsrv1 proto kernel scope link192.168.99.0/24 dev br0 proto kernel scope link src 192.168.99.1192.168.200.0/24 dev wgclt1 proto kernel scope link src 192.168.200.10

Enig idee wat ik er over mijn hoofd zou kunnen hebben gezien?

[Voor 56% gewijzigd door mfkne op 03-03-2024 18:54]

SitetoSite VPN met Wireguard tussen Unifi Express en pfSense - Netwerken (2024)

FAQs

Does WireGuard support site to site VPN? ›

If you're required to share information or resources between intranets from different locations, such as offices, chain stores, using site to site VPN with WireGuard® can quickly help you build up your private network to connect all these places.

Find Out More ›

How to setup WireGuard VPN on pfSense? ›

Configure WireGuard

Log in to pfSense using the web GUI.
Go to VPN → WireGuard.
Click on + Add Tunnel.
Description: Enter a name for the tunnel. ...
Listen Port: This can be left empty.
Interface Keys: Enter your private key that you generated earlier ( cat /usr/local/etc/wireguard/privkey ).

More items...

Explore More ›

Which is more secure WireGuard or OpenVPN? ›

While WireGuard is generally faster, OpenVPN provides heavier security. The differences between these two protocols are also what make up their defining features. We've taken a closer look at each so you can really understand how they work for you.

Find Out More ›

How do I setup a WireGuard VPN tunnel? ›

To configure a WireGuard Tunnel:

Navigate to VPN > WireGuard > Tunnels.
Click. ...
Fill in the WireGuard Tunnel settings as described in WireGuard Package Settings.
Click Save Tunnel.
Add firewall rules on Firewall > Rules, WAN tab to allow UDP traffic to the port for this WireGuard tunnel (WireGuard and Rules / NAT)

More items...

May 1, 2023

Show Me More ›

Which is better site-to-site IPSec or WireGuard? ›

Compared to IPSec, WireGuard is thought to provide faster performance and more security because of its smaller codebase. On the other hand, IPSec is a well-developed protocol with a wealth of features and compatibility.

Is site-to-site VPN private? ›

A site-to-site virtual private network (VPN) is a connection between two or more networks, such as a corporate network and a branch office network. Many organizations use site-to-site VPNs to leverage an internet connection for private traffic as an alternative to using private MPLS circuits.

What is the most secure VPN option? ›

OpenVPN and NordLynx

NordVPN offers two of the fastest, most reliable, and most secure VPN protocols: OpenVPN and WireGuard in the form of NordLynx. Here's a quick comparison, and for a more in-depth look, here's our comparison of the top VPN protocols. NordVPN worked well with OpenVPN and NordLynx.

Read The Full Story ›

What is the most secure VPN port? ›

Particularly those that employ OpenVPN or SSTP protocols to establish a VPN connection. Port 443 is most commonly known for its use with HTTPS traffic and is rarely, if ever, blocked or restricted by firewalls or other security measures.

Show Me More ›

Does WireGuard hide IP? ›

As explained above WireGuard does not allocate a dynamic IP address to the VPN user. And, it indefinitely stores user IP addresses on the VPN server until the server reboots. So, there is no anonymity and privacy in WireGuard.

Show Me More ›

How do I test if my WireGuard is working? ›

To check if WireGuard Server is working properly

The simpliest way is to use a cell phone with WireGuard official client app installed, turn off its Wi-Fi connection, and only connect to Internet via 3G/4G/5G.

Learn More Now ›

How to setup site to site VPN tunnel? ›

For more information, see Tunnel options for your Site-to-Site VPN connection.

Step 1: Create a customer gateway. ...
Step 2: Create a target gateway. ...
Step 3: Configure routing. ...
Step 4: Update your security group. ...
Step 5: Create a VPN connection. ...
Step 6: Download the configuration file.

More items...

Get More Info Here ›

What protocol to use site-to-site VPN? ›

Most Common VPN Protocols

Protocol	Description	Security
IPsec (Internet Protocol Security)	Uses strong locks and keys to limit access to authorized users	High security, widely adopted
SSTP (Secure Socket Tunneling Protocol)	Uses a secure layer, like a shield, to protect data as it travels	Secure, integrated with Windows

8 more rows

Oct 30, 2023

What VPN protocol does WireGuard use? ›

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.

See Details ›

Who uses site-to-site VPN? ›

Extranet-based site-to-site VPNs are often used by two or more different companies that want to share certain resources but keep others private. With an extranet-based site-to-site VPN, each entity connects to the VPN and chooses what they want to make available to the other companies.

Learn More Now ›

Does OpenVPN support site-to-site VPN? ›

Securely connect your corporate network, remote offices, and cloud networks with encrypted tunnels using our site-to-site VPN solution.

SitetoSite VPN met Wireguard tussen Unifi Express en pfSense - Netwerken (2024)

Sites

Het Probleem

FAQs

Does WireGuard support site to site VPN? ›

What is the most secure VPN option? ›