2
0
mirror of https://github.com/opnsense/docs synced 2024-10-30 21:20:20 +00:00

Update wireguard-s2s.rst

- Omitted Source Port in Firewall rules
- Added tip and note about dynamic WAN IP
This commit is contained in:
Monviech 2023-10-13 08:50:10 +02:00 committed by GitHub
parent efbf982e03
commit 9eae9391d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -122,9 +122,15 @@ Go to tab **Local** and edit *wgopn-site-b*.
Press **Save** and **Apply**.
------------------------------
.. Tip::
If one of your sites has a dynamic WAN IP address, you can leave the *Endpoint Address* on the site with the static IP address empty. The site with the dynamic IP will then be the initiator, and the site with the static IP will be the responder. Adjust the Firewall rule accordingly to allow any Source IP to connect to the static site.
.. Note::
If you use hostnames in the *Endpoint Address*, Wireguard will only resolve them once when you start the tunnel. If both sites have dynamic *Endpoint Addresses* set, the tunnel will stop working when they both use DynDNS hostnames, and one (or both) sites receives a new Lease from the ISP. You could probably mitigate this with a cron job that restarts wireguard periodically.
-------------------------------
Step 4a - Setup Firewall Site A
------------------------------
-------------------------------
Go to :menuselection:`Firewall --> Rules --> WAN` add a new rule to allow incoming wireguard traffic from Site B.
@ -135,7 +141,6 @@ Go to :menuselection:`Firewall --> Rules --> WAN` add a new rule to allow incomi
**TCP/IP Version** *IPv4*
**Protocol** *UDP*
**Source** *203.0.113.2*
**Source port** *51820*
**Destination** *203.0.113.1*
**Destination port** *51820*
**Description** *Allow Wireguard from Site B to Site A*
@ -172,7 +177,6 @@ Go to :menuselection:`Firewall --> Rules --> WAN` add a new rule to allow incomi
**TCP/IP Version** *IPv4*
**Protocol** *UDP*
**Source** *203.0.113.1*
**Source port** *51820*
**Destination** *203.0.113.2*
**Destination port** *51820*
**Description** *Allow Wireguard from Site A to Site B*