AORXI Homelab
Networking

WireGuard Site-to-Site VPN

Site-to-site WireGuard tunnel between Site A and Site B: transit network, routed subnets, traffic policy, and build-sequence position.

WireGuard connects the two OPNsense firewalls across the internet using a routed 10.255.0.0/24 transit network, enabling Site A (10.10.0.0/16) and Site B (10.20.0.0/16) to reach each other without stretching L2 between sites.

No stretched L2 between sites

Inter-site connectivity is routed only — WireGuard carries IP traffic, not Ethernet frames. Never bridge L2 across sites. Corosync and Ceph cluster VLANs must stay local and must not traverse the tunnel.

Transit Network

The WireGuard tunnel is terminated on each OPNsense VM. Each peer holds a /24 address from the 10.255.0.0/24 transit block.

EndpointSiteWireGuard IP
sa-fw-01 (OPNsense VM on sa-edge-01)Site A10.255.0.1
sb-fw-01 (OPNsense VM on sb-edge-01)Site B10.255.0.2

The transit subnet is /24; only .1 and .2 are used. The block does not overlap with either site supernet or any VLAN subnet.

Routed Subnets

Each OPNsense peer advertises its own site supernet to the other. No NAT is applied to inter-site traffic.

Advertising sitePrefixReceived by
Site A10.10.0.0/16Site B
Site B10.20.0.0/16Site A

A host on 10.10.20.11 (Site A Proxmox Management) reaches a host on 10.20.20.20 (Site B Proxmox Management) via sa-fw-01 → WireGuard → sb-fw-01 without address translation.

Traffic Policy

The WireGuard link carries only required inter-site traffic. OPNsense firewall rules on each side enforce this.

Permitted traffic classes:

  • Management and administration to remote Proxmox Management (VLAN 20)
  • Proxmox Backup Server (PBS) replication between sites (VLAN 90)
  • DNS, NTP, and monitoring as needed (VLANs 30, 80)
  • Selected application traffic (VM Services, VLAN 30)

Traffic that must never cross WireGuard:

  • Corosync heartbeat (VLAN 25) — local-only, no gateway by design
  • Ceph cluster replication (VLAN 65) — local-only, no gateway by design
  • Raw storage traffic (VLAN 60) — stays within each site

WireGuard is routed connectivity, not datacenter fabric

The tunnel connects two independent sites for management and replication purposes. It is not a stretched LAN. Each site's Proxmox cluster, Ceph cluster, and storage remain entirely local.

Build Sequence Position

WireGuard is established at Phase 3 of the OPNsense migration, after both sites have OPNsense running and serving infrastructure:

PhaseAction
1OPNsense inserted upstream of UniFi at Site A
2OPNsense inserted upstream of UniFi at Site B
3WireGuard site-to-site VPN established between sa-fw-01 and sb-fw-01
4Proxmox nodes moved to final VLAN 20 management IPs
5Proxmox clusters formed at each site
6Storage, PBS replication, and Kubernetes

Bring up the tunnel after both OPNsense VMs are stable and their VLAN gateways are confirmed. Verify reachability across both /16 supernets before proceeding to Phase 4.

On this page