WireGuard Site-to-Site VPN
Site-to-site WireGuard tunnel between Site A and Site B: transit network, routed subnets, traffic policy, and build-sequence position.
WireGuard connects the two OPNsense firewalls across the internet using a routed 10.255.0.0/24 transit network, enabling Site A (10.10.0.0/16) and Site B (10.20.0.0/16) to reach each other without stretching L2 between sites.
No stretched L2 between sites
Inter-site connectivity is routed only — WireGuard carries IP traffic, not Ethernet frames. Never bridge L2 across sites. Corosync and Ceph cluster VLANs must stay local and must not traverse the tunnel.
Transit Network
The WireGuard tunnel is terminated on each OPNsense VM. Each peer holds a /24 address from the 10.255.0.0/24 transit block.
| Endpoint | Site | WireGuard IP |
|---|---|---|
sa-fw-01 (OPNsense VM on sa-edge-01) | Site A | 10.255.0.1 |
sb-fw-01 (OPNsense VM on sb-edge-01) | Site B | 10.255.0.2 |
The transit subnet is /24; only .1 and .2 are used. The block does not overlap with either site supernet or any VLAN subnet.
Routed Subnets
Each OPNsense peer advertises its own site supernet to the other. No NAT is applied to inter-site traffic.
| Advertising site | Prefix | Received by |
|---|---|---|
| Site A | 10.10.0.0/16 | Site B |
| Site B | 10.20.0.0/16 | Site A |
A host on 10.10.20.11 (Site A Proxmox Management) reaches a host on 10.20.20.20 (Site B Proxmox Management) via sa-fw-01 → WireGuard → sb-fw-01 without address translation.
Traffic Policy
The WireGuard link carries only required inter-site traffic. OPNsense firewall rules on each side enforce this.
Permitted traffic classes:
- Management and administration to remote Proxmox Management (VLAN 20)
- Proxmox Backup Server (PBS) replication between sites (VLAN 90)
- DNS, NTP, and monitoring as needed (VLANs 30, 80)
- Selected application traffic (VM Services, VLAN 30)
Traffic that must never cross WireGuard:
- Corosync heartbeat (VLAN 25) — local-only, no gateway by design
- Ceph cluster replication (VLAN 65) — local-only, no gateway by design
- Raw storage traffic (VLAN 60) — stays within each site
WireGuard is routed connectivity, not datacenter fabric
The tunnel connects two independent sites for management and replication purposes. It is not a stretched LAN. Each site's Proxmox cluster, Ceph cluster, and storage remain entirely local.
Build Sequence Position
WireGuard is established at Phase 3 of the OPNsense migration, after both sites have OPNsense running and serving infrastructure:
| Phase | Action |
|---|---|
| 1 | OPNsense inserted upstream of UniFi at Site A |
| 2 | OPNsense inserted upstream of UniFi at Site B |
| 3 | WireGuard site-to-site VPN established between sa-fw-01 and sb-fw-01 |
| 4 | Proxmox nodes moved to final VLAN 20 management IPs |
| 5 | Proxmox clusters formed at each site |
| 6 | Storage, PBS replication, and Kubernetes |
Bring up the tunnel after both OPNsense VMs are stable and their VLAN gateways are confirmed. Verify reachability across both /16 supernets before proceeding to Phase 4.
Related Pages
- VLAN Reference — VLAN table including VLANs 25 and 65 that must not traverse the tunnel
- IP Addressing — supernets, per-host IPs, and the full address plan
- Migration Phases — full OPNsense build sequence
Address-Block Convention
The per-/24 octet-band convention governing every routed subnet: gateways at .1, switches at .2–.9, host interfaces at .10–.39, service VMs at .40–.49, DHCP/static at .50–.199, and VIPs at .200–.254.
DNS Design
DNS architecture for the two-site homelab: public domain, internal zone, resolution flow, and certificate strategy.