docu/shared/horus-opnsense-wireguard/README.md

# Horus ↔ OPNsense WireGuard (Site-to-Site)

Direkter WireGuard-Tunnel zwischen **OPNsense** (lokales Netz) und **Horus** (VPS), ohne Umweg über VM 101.

| | |
|---|---|
| **Horus** | `horus.jeanavril.com` / `207.180.222.207`, WG-Port **61951**, Tunnel-IP **10.1.1.1** |
| **OPNsense** | Tunnel-IP **10.1.1.22**, Interface **`wg_horus` (opt10)** |
| **VM 101** | Tunnel-IP **10.1.1.5** — **eigener Tunnel**, bleibt (Cert-Rsync, SSH) |

**Produktiv seit 2026-06-28.** Vorfälle & Fehldiagnosen: [../../issues/2026-06-28-opnsense-horus-wireguard-lan.md](../../issues/2026-06-28-opnsense-horus-wireguard-lan.md)

---

## Keys nicht verwechseln (VM ≠ OPNsense)

| Tunnel | Private Key (Datei) | Public Key |
|--------|-------------------|------------|
| **OPNsense** `10.1.1.22` | `opnsense-client.conf` → `AGEam06B9…` | `walbWTYXAGOD1mOxPK+NwKT6qUhLyY0qieWBeTIbdXU=` |
| **VM 101** `10.1.1.5` | `vm101-client.conf` → `SKMnLpkj…` | `VB3Cf8kDxpzO+FyMrLxPyJ0vUjm8yJ/qIKmhY2KeeyI=` |

**Niemals** den VM-Key auf OPNsense verwenden.

---

## Subnetz-Aufteilung

| Netz | Horus-Peer | Routing |
|------|------------|---------|
| `10.1.1.5/32`, `10.2.2.0/24` | VM | VM-WG |
| `10.1.1.22/32`, `10.100.2.0/24` | OPNsense | OPNsense-WG |
| `192.168.10–60.0/24` | — | OPNsense **NAT** → Horus sieht `10.1.1.22` |

---

## Dateien

| Datei | Inhalt |
|-------|--------|
| [opnsense-client.conf](opnsense-client.conf) | Keys, PSK, Endpoint (OPNsense) |
| [opnsense-step-a-nat.md](opnsense-step-a-nat.md) | **OPNsense-Setup** (Route, Firewall, NAT) |
| [opnsense-internet-gateway.md](opnsense-internet-gateway.md) | **Optional:** LAN-Internet-Exit über Horus (GUI-only) |
| [horus-server-peer-opnsense.conf](horus-server-peer-opnsense.conf) | Horus Peer-Block |
| [wg0-opnsense-routes.sh](wg0-opnsense-routes.sh) | Horus Route-Script |
| [vm101-client.conf](vm101-client.conf) / [horus-server-peer-vm101.conf](horus-server-peer-vm101.conf) | VM-Tunnel (getrennt) |

---

## OPNsense — Kurz-Checkliste

Details: [opnsense-step-a-nat.md](opnsense-step-a-nat.md)

1. **WireGuard Local + Peer** aus `opnsense-client.conf`
2. **Interfaces → Assignments:** `wg_horus` (opt10)
3. Peer **Disable routes = an** → **Static Route** `10.1.1.0/24` Gateway **`10.1.1.1`**, Interface **wg_horus**
4. **Firewall wg_horus:** Pass von `10.1.1.0/24` → This Firewall **und** raus Richtung Horus
5. **Firewall LAN/VLAN:** Pass → `10.1.1.0/24`
6. **Outbound NAT** auf `wg_horus` → SNAT `10.1.1.22`
7. Alte Route `10.1.1.0/24 → 192.168.178.1` **löschen**

Fritzbox: OPNsense in **DMZ** — kein extra WAN-Forwarding für WG.

---

## Horus (erledigt)

- Peer `walbWTYX…`: AllowedIPs `10.1.1.22/32`, `10.100.2.0/24`
- `wg0-opnsense-routes.service` für Kernel-Routen zu OPNsense/Services
- VM-Peer: `10.1.1.5/32`, `10.2.2.0/24` only
- **Road-Warrior Internet-Gateway** (pixel7): [../../horus/wireguard-internet-gateway.md](../../horus/wireguard-internet-gateway.md)
- **LAN-Internet über OPNsense:** [opnsense-internet-gateway.md](opnsense-internet-gateway.md) — Gateway `10.1.1.1` + **SNAT `10.1.1.22`** (verifiziert 2026-06-28)

---

## Tests

```bash
# Horus → OPNsense
ssh jean@192.168.10.10 'ssh root@10.1.1.1 ping -c3 10.1.1.22'

# OPNsense GUI: Diagnostics → Ping, Source wg_horus, Dest 10.1.1.1

# LAN
ping 10.1.1.1

# Horus: LAN-Traffic muss als 10.1.1.22 erscheinen
ssh root@10.1.1.1 'tcpdump -ni wg0 icmp and host 10.1.1.1'
```

---

## Wenn „Handshake ok, aber Ping tot“

| Richtung | Erste Prüfung |
|----------|----------------|
| OPNsense → Horus | Static Route Gateway **`10.1.1.1`**, Ping mit Source **wg_horus** |
| Horus → OPNsense | Firewall **wg_horus** Inbound |
| LAN → Horus | LAN-Pass + Outbound NAT + Gateway |

Breakpoint-Matrix: [Issue-Doku](../../issues/2026-06-28-opnsense-horus-wireguard-lan.md)

---

## VM 101 — eigener Tunnel

Separater WG-Tunnel; bei NAT-Problemen siehe [../../issues/2026-06-28-vm101-horus-wireguard-nat.md](../../issues/2026-06-28-vm101-horus-wireguard-nat.md).

**⛔ VM 104 (OPNsense) nie per Agent stoppen** — [../../pve1/04_fallback_aktivierung.md](../../pve1/04_fallback_aktivierung.md)

---

## Referenzen

| Thema | Doc |
|-------|-----|
| Horus SSH | [../ssh/README.md](../ssh/README.md#horus-vps-wireguard) |
| docbr0 | [../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md](../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md) |
| Issues-Index | [../../issues/README.md](../../issues/README.md) |