I'm having trouble building an OpenBSD site-to-site Wireguard tunnel

[Judah Kocher]

Hello,


I am having some trouble trying to use wireguard to setup a site-to-site 
vpn tunnel between two OpenBSD 6.7/current routers. They are both 
updated to the latest snapshot as of 7/11/2020.

I have no trouble at all setting up a client/server type connection to 
either router, where I can either route all traffic through the router 
or split tunnel and only route traffic for networks behind the router. 
Where I am struggling is getting the networks behind the routers to 
communicate with each other over a tunnel. Each router has multiple 
subnets behind it and I intend to control which particular IPs are 
allowed access to devices on the far ends of the wireguard tunnel using 
PF rules but I'm just focused on one entire subnet on each end at this 
time and can't even get that working.

My basic network topology for this first step is this.

Router A private subnet range: 10.212.20.0/24
Router A wireguard interface IP: 10.0.11.1

Router B private subnet range: 192.168.8.0/21
Router B wireguard interface IP: 10.0.11.2

What I am trying to accomplish is to have Router B "phone home" to 
Router A and maintain a persistent tunnel with KeepAlive packets. Any 
device on the 10.212.50.x subnet behind router A should be able to reach 
any device on the 192.168.8.x subnet behind Router B.

Router A wg11.conf contents are:

[Interface] #RouterA
PrivateKey = RouterAprivatekey=
ListenPort = 51811

[Peer] #RouterB
PublicKey = RouterBpublickey=
AllowedIPs = 192.168.8.0/21, 10.0.11.0/24

Router A hostname.wg11 contents are:

inet 10.0.11.1 255.255.255.0
!/usr/local/bin/wg setconf wg11 /etc/wireguard/wg11.conf

In the Router A pf.conf file I have these relevant rules, which will be 
tightened up once I get the tunnel working but are as open as possible 
to try to get something working:

Wireguard wg11 VPN Connection Rules
pass in  quick on egress    inet proto udp    from <RouterBIP> to port 51811

# Wireguard wg11 Traffic Rules
pass quick on wg11



Router B wg11.conf contents are:

[Interface] #RouterB
PrivateKey = RouterBprivatekey=

[Peer] #RouterA
PublicKey = RouterApublicKey=
AllowedIPs = 10.0.11.0/24, 10.212.20.0/24
Endpoint = FQDN_for_RouterA:51811
PersistentKeepalive = 25

Router B hostname.wg11 contents are:

inet 10.0.11.2 255.255.255.0
!/usr/local/bin/wg setconf wg11 /etc/wireguard/wg11.conf

In Router Bs pf.conf file I have these relevant rules, which will be 
tightened up once I get the tunnel working but are as open as possible 
to try to get something working:

# Wireguard VPN Connection Rules
pass out  quick on egress    inet proto udp    to <RouterBIP> port 51811

# Wireguard wg11 Traffic Rules
pass quick on wg11


I brought up each interface with: doas sh /etc/netstart wg11

I can ping 10.0.11.2 from router A. I cannot ping 10.0.11.1 from router 
B. Running tcpdump on router A shows the ping requests coming in on the 
external interface but no reply going back out.

When I 'route show' on either router, I do not see the extra subnet 
specified in "allowed IPs" anywhere in the routing table. I cannot ping 
any other devices on the far subnets or even any other interfaces on the 
far router from either end.

I am seeing the keepalive packet on Router A every 25 seconds, so this 
is working at least.

I've tried generating new all new keys, tried destroying all interfaces 
and config files and starting over, tried changing the "allowed IPs to 
/32 targeting specific hosts that I know will respond to connection 
attempts, and none of this seems to matter. Nothing seems to be getting 
routed across the tunnel other than direct pings of the opposite routers 
wireguard interface, and even in that case it only works correctly one 
way. I feel like I must be missing something really obvious but hours of 
reading google search results and experimenting with other settings 
seems to make any difference. If anyone sees any issues in my setup and 
would be willing to share some advice i would greatly appreciate it!