The opnsense can reach 192.168.0.0/24 as is.
Does this need a gateway configured (with its own IP) for the wg0 interface + "local wireguard config" on the opnsense side?
OPNsense can reach 192.168.0.0/24, but it sends unmasqueraded packets upstream.
Does the OPNsense's upstream gateway have the proper route to 192.168.0.0/24?
1 Like
I'm assuming it, yes. As long the default NAT configuration is and automatic for this interface:
Also, I can see any need to configure manually that route or masquerate setting, from the opnsense own documentation: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
You can use this as a workaround:
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart
2 Likes
How would you recommend the proper way, instead of a workaround? 
The working workaround is a proof the issue is unrelated to OpenWrt.
Routing/firewall certainly require additional configuration on the side of OPNsense.
Assuming you fixed allowed IPs for 192.168.0.0/24 similar to OpenWrt.
But I'm afraid that troubleshooting OPNsense is outside the scope of this forum.
2 Likes
After enabling this:
uci set firewall.lan.masq="1"
uci commit firewall
/etc/init.d/firewall restart
I can't get access to site "B" (openwrt subnet) from the site "A". 
Verify that the source IP is included in the allowed IPs on the OpenWrt side.
Or enable masquerading for the VPN firewall zone on the OPNsense side.
If the issue persists, it's best to consult the OPNsense support channels.
Or consider replacing OPNsense with OpenWrt, so we can proceed here.
2 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
After many months fighting with this, the solution had to be around NAT, for selective routing, because the OPNsense router received the packets from the Site "B" with the original LAN IP address requester device. Doing the NAT on the site "B" make it unavailable from the site "A".
I disabled the NAT on the LAN zone Site "B" (OpenWRT):
uci set firewall.lan.masq="0"
uci commit firewall
/etc/init.d/firewall restart
And added on the site "A" (OPNsense), a manual rule on NAT Outbound:
The range 192.168.20.0/24 is the LAN range of the Site "B" OpenWRT router.
With this configuration, both sites can exchange traffic transparently, adding the possibly to make selective routing from the site "B", through the site "A", to the internet, tunneling some FQQN static routed traffic from the site "B".
The complexity of this setup had to do with the fact the OpenWRT with Wireguard acts as a router within a router, as opposition to the typical site-2-site (LAN to LAN) internal wireguard routing (no need to double NAT) or the "roadwarrior" client configuration (remote client to LAN or WAN) needing NAT only to WAN.
PoC:
Thanks for the support @vgaetera .
just read this thread but I need a little more explicit help.
In a classic site-2-site (mediated by a vps node) linux config, I usually write these lines in the wireguard.conf of the home node:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
How and where these should be put in openWrt? I've already have a wg interface working like a charm, I want to "promote" it for the site-2-site (Actually managed by a linux machine that I would stop).
thanks!!!
Try here, on LuCi:
Network -> Firewall -> General Settings -> Zones
Network -> Firewall -> NAT Rules
Hi, can you give me more info?
The nat section I think is for
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
right?
And this where should configurated? Somewehere in the wg0 interface?
iptables -A FORWARD -i wg0 -j ACCEPT
