Print Page - Wireguard Full Tunnel not working

Title: Wireguard Full Tunnel not working
Post by: CJ on March 14, 2021, 06:12:12 PM

I followed the steps in the documentation and I have WireGuard up and running. https://docs.opnsense.org/manual/how-tos/wireguard-client.html

However, I can only reach internal resources. Nothing on the internet. I did step 2c and added the interface rule along with setting AllowedIPs to 0.0.0.0/0 on the client but I still can't get out to the internet.

The weirdest part is that I can see my device making DNS queries to OPNSense and I can see the occasional 443 traffic being passed but nothing on my device works. Additionally, I don't see any blocked entries in the firewall logs.

Any ideas where to look for the next steps? While a split tunnel is useful, I want to be able to fully tunnel all of my traffic across the VPN.

Thanks.

Title: Re: Wireguard Full Tunnel not working
Post by: chemlud on March 14, 2021, 06:17:20 PM

Trace your traffic an the various interfaces involved and have a look where it stops (or the replies, maybe?). Nobody can debug this on a forum without knowing how your network is configured...

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on March 14, 2021, 06:22:53 PM

That's what I'm trying to do. I'm just confused as to why I'm seeing entries in the logs for traffic being passed when it doesn't seem to be and I'm not seeing entries for blocked traffic.

Also, I just realized that doing a split tunnel doesn't work either.

I'm seeing entries in the firewall logs showing that traffic is being passed to Unbound but Chrome gives me a DNS_PROBE_FINISHED_BAD_CONFIG error. Looking in the Unbound logs there doesn't seem to be anything relating to my WG client.

Title: Re: Wireguard Full Tunnel not working
Post by: chemlud on March 14, 2021, 06:24:16 PM

do package capture on the interfaces involved. for wg it won't work on the GUI afaik...

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on March 14, 2021, 06:45:26 PM

Apparently the problem was Unbound. It was refusing queries and restarting it fixed it. Not sure why considering I had restarted the whole server when I applied the update.

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on May 03, 2021, 02:30:33 AM

And it happened again. Unbound stopped serving DNS to my WG clients until I restarted it.

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on June 01, 2021, 04:24:09 PM

And again.

Title: Re: Wireguard Full Tunnel not working
Post by: xpendable on June 01, 2021, 04:59:44 PM

I believe this is because the unbound service initializes before the wireguard service, try manually adding an access list in unbound for your wireguard subnet.

Unbound DNS -> Access Lists

This solved the same/similar issue for me.

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on June 09, 2021, 12:48:02 PM

Quote from: xpendable on June 01, 2021, 04:59:44 PM
I believe this is because the unbound service initializes before the wireguard service, try manually adding an access list in unbound for your wireguard subnet.

Unbound DNS -> Access Lists

This solved the same/similar issue for me.

I'll give that a try, but why would it stop working after a time period? The machine hasn't been rebooted and I've connected and disconnected multiple times.

Title: Re: Wireguard Full Tunnel not working
Post by: 5SpeedFun on June 12, 2021, 06:31:38 AM

I had issues on this until I had unbound listening on a loopback interface. Are you listening on a local interface or a loopback?

Title: Re: Wireguard Full Tunnel not working
Post by: CJ on July 08, 2021, 02:54:04 PM

Unbound listens on all interfaces.

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: CJ on March 14, 2021, 06:12:12 PM