OPNsense Forum
English Forums => Virtual private networks => Topic started by: fat_flying_pigs on March 17, 2023, 10:41:12 am
-
Hi there, I'm new to opnsense and am slowly re-building my network. My setup currently works with normal internet. It uses two routers, one Opnsense for my homelab stuff, and one tplink for my roommate / general wifi use. This is a drawn image of my network: (see first attachment below)
I have managed to set up and correctly use WG with my phone using cell data. It also work if I tether my laptop to my cell data. However, when I connect either of them to the wifi, WG will fail to handshake, retrying every 5 seconds.
I've examined the logs and I'm not really sure where or why it's failing. I changed the dns on the wg client to use 8.8.4.4, and logs show it properly going out:
(see second attachment below)
Logs don't show anymore information, at least from what I can gather. The VPN -> Wireguard -> Status does show the transfer numbers increasing for both received and sent. So I'm thinking maybe for some reason the data is getting dropped?
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
preshared key: (hidden)
endpoint: 10.121.4.7:49543
allowed ips: 10.120.2.7/32
transfer: 127.04 KiB received, 78.97 KiB sent
Lastly here are my relevant interface firewall rules:
(see third attachment below)
Any advice would be appreciated! I've been trying most everything I can think of with no success, thanks!
-
I'm not sure if this is the only problem, but it doesn't look like you have added the 192.168.0.1 network as an allowable network in the wireguard set up.
-
Usually to keep your sanity you want to run from NAT not use it ;D (may I ask why did you enable NAT on the TP-link?, U already have a VLAN -NAT doesn't mean security- )
Well back to your question if you want to access your wireguard server from within the network (LAN side), then you can either use
- Use NAT reflection:https://docs.opnsense.org/manual/nat.html (https://docs.opnsense.org/manual/nat.html) ( an explanation here : https://www.reddit.com/r/PFSENSE/comments/fp9h1f/can_someone_explain_to_me_what_is_nat_reflection/ (https://www.reddit.com/r/PFSENSE/comments/fp9h1f/can_someone_explain_to_me_what_is_nat_reflection/))
- or you can use spilt-horizon DNS (External queries are replied to with the public ip, while the internal queries with the private ip, u can achieve this with unbound's override -given that you have a public domain ofcourse-)
-
.