I'm trying to set up a Wireguard VPN. The connection takes place (firewall logs say so) but no handshake occurs with either Ubuntu or Windows client. I made several tests, also manually setting Outbount rules, but without being able to solve.
Note:
- WAN is a hiperlan connection and I manage 8 public IPs (configured as Virtual IPs on OPNsense)
- In the firewall rule for WAN port 51820 I had to set as "Destination" the Alias (PubCloud) of the public IP address used for the VPN connection (otherwise it would not work, probably due to the multiple IPs).
OPNsense config:
I took some screenshots ... I tried to follow the official OPNsense documentation (as well as checking some how-to on the Internet) assigning the wg1 device to an dedicated interface.
VPN:
VPN-WireGuard-local (https://ibb.co/bzyvc3n)
VPN-WireGuard-endpoint (https://ibb.co/SdM5X6D)
VPN-WireGuard-status (https://ibb.co/FWFsGrr)
VPN-WireGuard-handshakes (https://ibb.co/n0W4gV1)
Interface:
Interfaces-Assignments (https://ibb.co/BKW160c)
Interfaces-WireGuard1 (https://ibb.co/RY61frN)
System-Routes-Status (https://ibb.co/3TWshFx)
Firewall:
Firewall-Log-port_51820 (https://ibb.co/vLdndxF)
Firewall-Rules-WAN (https://ibb.co/BzRQKMK)
Firewall-Rules-WireGuard _Group (https://ibb.co/zrJJV0W)
Firewall-Rules-WireGuard1 (https://ibb.co/pPNbL0h)
Client config:
[Interface]
Address = 10.10.10.2/32
PrivateKey = YP8<8<8<8<8<8<8<8<8<8<8<8<8<c=
[Peer]
Endpoint = 185.x.x.x:51820
PublicKey = A18<8<8<8<8<8<8<8<8<8<8<8<8<Ww=
AllowedIPs = 10.10.10.0/24, 192.168.0.0/24
PersistentKeepalive = 15
Thanks for any help!
Ok... After many attempts, trying to drop and recreate server and endpoints and also using an android client with mobile Internet connection, I give up.
But I would like to test Wireguard as well, so the question is still open for anyone who wants to help me fix it. Thank you.
Use tcpdump and watch if packets for port 51820 arrive at your WAN interface ... continue from there.
I found the "problem" ...
Using "Packet Capture" (Interfaces->Diagnostics->Packet Capture) I found an OPNsense response from an "unknown" IP and light bulb went on in my head ...
The ISP has given us some public IP addresses that we use for our services. But the router that manages the Hiperlan connection antenna, dynamically assigns (via ppoe) another public IP to the WAN interface of OPNsense, which is the one actually used by WireGuard.
Using this address as peer endpoint in the client configuration (and changing the firewall rule for WAN interface port 51820) the VPN started working.
In order to use one of the virtual public IPs address I think it is necessary not to associate the device to an interface and manually create an Outbound rule that directs the outgoing traffic from the wireguard device to the desired virtual public IP (but I haven't tested it yet ... )