OPNsense Forum

English Forums => Virtual private networks => Topic started by: C0ldkut on March 22, 2022, 10:44:47 pm

Title: Wireguard stop the endless suffering
Post by: C0ldkut on March 22, 2022, 10:44:47 pm

Hi all.

I am desperately trying to set up Wireguard. I read all the documentations, seen all the YT, did like 4 setups. Still I fail to set it up and I refuse to accept it.  ;)

What I did to troubleshoot:
Public keys are correct.
Peers are enabeld on local.

Allowed IPs on client is 0.0.0.0/0
Interface is configured on wg01 as WIRE.
Port is set to 5552 and called as VPN_PORT.
NAT outbound as on Screenshoot 1.
Firewall rules as on Screenshot 2.
Peer config on Screenshot 3.
Local config on screenshot 4.
I configured further unbound DNS: DNS over TLS
AL on unbound shows my WG network IP 10.0.0.1/24
Please help. I want to make it work.
Btw.: Be nice I am new to opnsense and firewall at all and I am not an IT. Thanks. ;-)

Title: Re: Wireguard stop the endless suffering
Post by: Greelan on March 23, 2022, 09:39:03 am

Looks like you are missing firewall rules on your WIRE interface.

Did you look at this how-to?

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 23, 2022, 09:28:41 pm

Thanks for reply. Yes I followed it point by point.

I forgot to post the Rule on "WIRE" (wg0). See attached.

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 23, 2022, 09:29:49 pm

WIRE Rule.

Title: Re: Wireguard stop the endless suffering
Post by: Greelan on March 23, 2022, 09:32:40 pm

You're only allowing UDP traffic on that rule.

So in fact didn't follow the how-to point by point

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 23, 2022, 09:35:56 pm

 ;D ;D ;D ;D

Ok, maybe I followed to often then. I corrected that. Still no Handshake. ???

Title: Re: Wireguard stop the endless suffering
Post by: Greelan on March 23, 2022, 09:42:17 pm

I'd suggest going over it again to check for any other mistakes

Also you haven't posted configs on the endpoints themselves - the problem could be there

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 23, 2022, 09:48:23 pm

The thing is really I read all of it too often. Sucks somehow, since it appears to be reallly easy. What the hell. :o

Attached the peers screenshot. (G20)

Title: Re: Wireguard stop the endless suffering
Post by: Greelan on March 24, 2022, 07:53:21 am

Have you applied changes for the firewall rules and alias? The screenshot of the WIRE rule showed unapplied changes

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 24, 2022, 08:44:53 pm

Thanks for the hint. I applied right after. Still stuck.

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on March 29, 2022, 09:02:16 pm

Still I am stuck. Anyone any ideas, where to look? Is it usual, that the defined tunnelport ist not visible through a port checker? Thanks for you help!

Title: Re: Wireguard stop the endless suffering
Post by: chemlud on March 30, 2022, 09:21:03 am

Re-check that the CORRECT public/private keys are in place on BOTH sides...

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on April 02, 2022, 11:50:22 pm

So for anyone interested: I works now.

What I did:
I implemented a Rule under Floating and deleted the one on the WAN Interface.

What I still wonder: I really followed the manual, but what worked was this: https://www.youtube.com/watch?v=gNyIACWc60w

Anyway: Thank you all for taking time!

Title: Re: Wireguard stop the endless suffering
Post by: Greelan on April 03, 2022, 12:54:01 am

Couple of comments. Since that video was made the OPNsense WG docs for road warrior and selective routing setups have been re-written and so are no longer "misleading" - they work. Also, I see no reason why a floating rule applying to WAN would work any differently to an equivalent rule on WAN, unless the user has another block rule that applies in priority to the WAN rule but after the the floating rule - in which case it is the user's config that is the issue

Title: Re: Wireguard stop the endless suffering
Post by: C0ldkut on April 03, 2022, 10:22:14 pm

Thanks for your comments.. Eversince it was clear, that I messed up with some config and I didn't want to blame the documentation, but thought I found a workaround.

The mistake was not the floating/WAN. It was indeed a conflicting NAT Portforwarding Rule. I configured as described in the documentation, fixed the conflicting port forwarding rules and now everything works.

Nevertheless I hope that - since I have searched and searched it might point others to a working VPN setup. RTFM.  :)

I think we can close.