[Solved] Need help with wireguard

[csmall]

I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.

[Headologic]

Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

[mimugmail]

You need to troubleshoot at OPNsense while you are connected. Check if packets arrive and try to ping Tunnel address of Firewall while checking Firewall logs

[mimugmail]

Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

And be sure to label the assigned Interface not WireGuard

[csmall]

The interface is named opt2 for wg0.

I tried pointing the wg0 server address from the Android client and I looks like it is blocked in the firewall log?

filterlog: 11,,,0,wg0,match,block,in,4,0x0,,64,18553,0,DF,1,icmp,84,172.16.5.2,172.16.5.1,datalength=64

[csmall]

Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

Where did you add the rule and what are the rule details. I think this is my problem.

[csmall]

Nevermind. I found it. I added an any any permit rule to opt2 interface and now traffic is flowing. I can ping opnsense up and wireguard server up from the client now.

I can also reach the internet through the tunnel. Thanks!!

[mimugmail]

Hooray! 

[csmall]

Thanks again for all your hard work on this and other plugins

[csmall]

Thanks again for all your hard work on this and other plugins

It all of the sudden just stopped working. I can't understand why. I tried rebooting opnsense and the Android device. I haven't changed any settings other than adding another endpoint device. I will test that one in a few minutes and see if it works.

I also noticed that while I added the any any rules to the opt2 interface (wg0) and everything started flowing.. there is also now wireguard listed under firewall rules and it had no rule.. so I added an any any rule there just now and it didn't make a difference.

It worked all day yesterday and stopped sometime late last night

[csmall]

So I just confirmed that the second client I added still works. The first device is an android phone and it worked and then stopped. The second device is a laptop which is tethered to the Android device (without wireguard running of course) and it connects and traffic flows as expected.
So odd.

[mimugmail]

So, both are working or not?

[mimugmail]

maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826

[csmall]

maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826

Switching the endpoints on the server to /32 seems to have resolved the issue! /32 actually makes more sense to me me and I never understood why all the articles I saw used /24.

I didn't change the client to /32 but I will try that anyway I guess because it just sounds right.

But thank you, your link seems to have solved the problem.

[mimugmail]

I'll recheck our docs tomorrow. Was also not aware of this. Glad it works now