OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: tre4bax on August 22, 2019, 10:22:46 am

Title: Using Wireguard now have two in rules..
Post by: tre4bax on August 22, 2019, 10:22:46 am

I decided I would go ahead and use wireguard for a VPN and followed through your instructions. 

Initially I decided I would set it up without the 0.0.0.0/0 rule and it all worked fine.  In Rules I had had a Wireguard option appear and I set a rule to allow all traffic.

Now I decided to move to using 0.0.0.0/0 on the client.  I added the Interface as instructed, Nat rules etc and off it went no problem.  Success.  Now it is working I can add my phone to this.  Done and it works then came the challenge.

I went into Rules and I had two Wireguard entries.  One was there originally and had my Rule.  One had obviously appeared when I created the interface (which I named Wireguard).  It was working so I thought it just a wrinkle.  Unfortunately I notice that the rules had not been applied and applied them.  Now I cannot get Wireguard to work any more.

I've tried allowing the any rule in the second wireguard but that did not work.  Something is confused and if feels like I should remove a Wireguard from the rules, however there is no way to do that.  Anyone got any ideas for next steps?

Title: Re: Using Wireguard now have two in rules..
Post by: mimugmail on August 22, 2019, 09:17:11 pm

Can you rename the assigned interface to WG and try again? Also check rules again after change

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on August 22, 2019, 09:26:40 pm

When I worked my way back through I got to a point where I had ping level packets going backwards and forwards and name resolution happening.  I guessed there might be something wrong with the nat rules and went in to look.  It all checked out by the instructions so I came out again without changing it. 

That gave me an apply which I did. And packets stopped working.  I reloaded the configs and spent another hour messing with it before giving up. 

I think the thing to do now is to strip the whole thing out and start from scratch.   It could be confusion between when to use /32 addressess and when to use /24 networks I guess.  Last time I got packets going it was with a /32 in both host and client

Title: Re: Using Wireguard now have two in rules..
Post by: mimugmail on August 22, 2019, 09:46:53 pm

Hm, reread all doc examples, it's quite confusing but helps a lot

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on August 28, 2019, 11:55:49 am

Okay I'm back to my old issue.  I am convinced it is something to do with NAT and the two wireguards.

I renamed one WireGuardInterface.  I have added a Nat rule for BOTh WireGuard and WireGuardInterfaces network address.  I have added any/any rules in each of the WireGuard rule areas.

I can get everything setup so that I can pass packets.

opnsense:
local:  Tunnel Address 192.168.100.1/24
peer:  Allowed IPs 192.168.100.2/32, 192.168.100.0/24, 192.168.1.0/24

PC
interface: address 192.168.100.2/32
Peer: AllowedIPs 192,168,100.0/24, 192.168.1.0/24

With this setup I can ping any address on my network at 192.168.1.x.  I cannot get DNS to resolve even though it is on the opnsense router on a 192.168.1 address.  If I add 0.0.0.0/0 to either or both the allowed IPs above then all packets stop going over the VPN.

I feel this is something to do with NAT but cannot be sure about that other than I know that NAT needs to be setup to use 0.0.0.0, though I thought it WAS setup.  At least I am a little closer now.

Title: Re: Using Wireguard now have two in rules..
Post by: mimugmail on August 28, 2019, 02:02:01 pm

0.0.0.0/0 only on the pc. For such a setup you dont need to nat on Wireguard, you have to nat on WAN and use your tunnel net as source.

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on August 28, 2019, 03:25:08 pm

I have a Nat rule setup on WAN and the WireGuardInterface interface.  I've also set one up on the WireGuard interface just in case.  Same rule with Target as the WAN.

I will give just putting 0.0.0.0/0 on the PC end another go and see what happens.

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on August 28, 2019, 03:30:29 pm

Did this and it all broke.  Put it back as it was and it has stayed broken.  I have no idea what is going on here.  Achieving a stable link seems almost impossible. :-(

Title: Re: Using Wireguard now have two in rules..
Post by: mimugmail on August 28, 2019, 05:07:42 pm

Screenshot of outbound nat

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on August 29, 2019, 02:50:49 pm

And now I have it working :-)  Finally figured out the minimum I need and what are the right values in the right places.  PC now connects every time and just works with all traffic routing through.

Now on to the next challenge the Phone connects but does not route.  Time for another thread ;-)

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on March 30, 2020, 11:27:53 am

Note to self:  Next time you get the solution post it so that you can see what you did for when your computer crashes and you loose the working config file.

Title: Re: Using Wireguard now have two in rules..
Post by: mimugmail on March 30, 2020, 12:33:03 pm

I should start with YouTube Videos ...

Title: Re: Using Wireguard now have two in rules..
Post by: tre4bax on March 30, 2020, 12:38:21 pm

 :) :)  All working again now.   Actually the basic setup documented everywhere worked just fine, once I had pasted the right key into the client part in Opnsense.  Must have had a brain fart last night and put the private key in there not the public one ;-)

For anyone having handshake problems.  Double check your keys.....