OPNsense Forum

Hi, I've been going through the process of trying to setup a wireguard tunnel so I can access my local network resources from outside my network, i've been trying to use wireguard for this.

While I am able to connect to it and use the internet in it and connect to my opnsense on 10.0.0.1, I'm not able to access any of my local network resources.

This is how I currently have it set up:

OPT1 interface (wireguard) on 10.0.1.1/24

Wireguard client on 10.0.1.2/32

LAN subnet on 10.0.0.1/24

I have added a rule to allow OPT1 to access all, and while looking at my logs for the firewall it DOES seem to let the wireguard client send requests to my LAN, nothing ever seems to be returned from the LAN, and I have no idea why.

What i'm trying to access is my media server on 10.0.0.30:8096, but this doesn't work, it sends the request but nothing ever comes back after it's let through the firewall.

I've been struggling with this for a few days now, is there something i've been missing? I've gone through MULTIPLE different tutorials and they just seem to be able to get LAN access straight away.

Post wireguard config and firewall rules on both interfaces.

Here is the wireguard config: https://i.imgur.com/AL1u80w.png (https://i.imgur.com/AL1u80w.png)

Endpoint: https://i.imgur.com/UZL49uU.png (https://i.imgur.com/UZL49uU.png)

Client: https://i.imgur.com/0T2RSnb.jpg (https://i.imgur.com/0T2RSnb.jpg)

OPT1 rules: https://i.imgur.com/WD8U5Mv.png (https://i.imgur.com/WD8U5Mv.png)

LAN rules: https://i.imgur.com/ZTokTzw.png (https://i.imgur.com/ZTokTzw.png)

Your DNS rule isn't doing anything. Move it above the any any rules.

Change the peer interface address to a /24. The /32 goes in the allowed IP filed but you're doing a full tunnel so it won't be needed.
Change the allowed IP's to 0.0.0.0/0

I've done that but still no luck, no access to my LAN at all.

LAN rules: https://i.imgur.com/aNjDHnZ.png (https://i.imgur.com/aNjDHnZ.png)

Client: https://i.imgur.com/BXYnAEg.png (https://i.imgur.com/BXYnAEg.png)

You could try this guide https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

I did already try everything in this guide, this was one of the ones I looked at to try and get it setup. :-\

Post your actual config, not snipped pictures of it. Help us help you!

Did you check the routes?
Did you try a packet capture?
Is this only 1 client?

Not sure how I should actually post the config, especially with regards to security....

I did try a trace route but there it simply can't even find 10.0.1.2 from my LAN or if you mean the actual routes, it seems to be set up correctly? https://i.imgur.com/9yOhoah.png (https://i.imgur.com/9yOhoah.png)

I did a packet capture and it just tries to keep sending the requests to 10.0.0.30 (the lan client i'm trying to connect to) and a bunch of ARP request to it, but with no response, so I suppose it's not even entering the LAN https://i.imgur.com/7aix65o.png (https://i.imgur.com/7aix65o.png)

keep in mind when viewing the log files in the firewall live view it does seem to pass these and lets them through: https://i.imgur.com/7tZqmSd.png (https://i.imgur.com/7tZqmSd.png)

and yes, it's only one client i'm trying to test this with at the moment.

Just remove the private keys and you are safe posting the configuration.

Here is my wireguard config:
    <wireguard>
      <server version="0.0.4">
        <servers>
          <server uuid="4b5cee75-577f-4f41-8e26-d688f98ccd16">
            <enabled>1</enabled>
            <name>wg1</name>
            <instance>1</instance>
            <pubkey>[REDACTED]</pubkey>
            <privkey>[REDACTED]</privkey>
            <port>51820</port>
            <mtu/>
            <dns>10.0.0.30</dns>
            <tunneladdress>10.0.1.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>5826191e-13b1-4d53-8540-58b00c2c78d5</peers>
          </server>
        </servers>
      </server>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <client version="0.0.7">
        <clients>
          <client uuid="5826191e-13b1-4d53-8540-58b00c2c78d5">
            <enabled>1</enabled>
            <name>iOS01</name>
            <pubkey>[REDACTED]</pubkey>
            <psk/>
            <tunneladdress>10.0.1.2/32</tunneladdress>
            <serveraddress/>
            <serverport/>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>

and all of my firewall rules: <nat>
    <outbound>
      <mode>hybrid</mode>
      <rule/>
    </outbound>
    <rule>
      <protocol>tcp/udp</protocol>
      <interface>lan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>Allow PiHole to reach external DNS servers</descr>
      <tag/>
      <tagged/>
      <poolopts/>
      <associated-rule-id/>
      <nordr>1</nordr>
      <source>
        <address>10.0.0.30/24</address>
      </source>
      <destination>
        <any>1</any>
        <port>53</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1674785066.7003</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781322.0168</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <protocol>tcp/udp</protocol>
      <interface>lan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>Intercept any outgoing DNS queries and redirect them to PiHole.</descr>
      <tag/>
      <tagged/>
      <poolopts/>
      <associated-rule-id>nat_63d321d5164c60.99056460</associated-rule-id>
      <target>10.0.0.30</target>
      <local-port>53</local-port>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <address>10.0.0.30/24</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1674783657.6567</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781141.0927</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
  </nat>
  <filter>
    <rule uuid="71167ca6-d6a2-414c-a1e5-444754a3e404">
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>wanip</network>
        <port>51820</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675680437.0935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675680437.0935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="9e0ebb67-5dd9-441f-a704-2e1396437977">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <network>opt1</network>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675712245.7933</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675712245.7933</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="a141d439-92d0-4138-8b0e-9192a1f29a08">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <network>opt1</network>
      </source>
      <destination>
        <network>lan</network>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675712190.5965</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675712190.5965</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="d9dccc48-2d74-4e07-a560-41bdbed103d6">
      <source>
        <network>lan</network>
      </source>
      <interface>lan</interface>
      <statetype>keep state</statetype>
      <protocol>tcp/udp</protocol>
      <ipprotocol>inet</ipprotocol>
      <destination>
        <address>10.0.0.30</address>
        <port>53</port>
      </destination>
      <descr>Intercept any outgoing DNS queries and redirect them to PiHole.</descr>
      <category/>
      <associated-rule-id>nat_63d321d5164c60.99056460</associated-rule-id>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781141.0917</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="9c46069a-01d2-493b-8da7-f23a543ad197">
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <descr>Default allow LAN to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="ac86a077-2add-43cb-b987-1735d867b6d9">
      <type>pass</type>
      <ipprotocol>inet6</ipprotocol>
      <descr>Default allow LAN IPv6 to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="73cabe68-b833-46a0-bcec-524a0a13d0ce">
      <type>pass</type>
      <interface>opt1</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <network>opt1</network>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675682813.5935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675680539.5684</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
  </filter>

All you had to do was post the config from the wireguard interface. I believe it's the status page but don't have access to verify right now.
For rules, post screenshots of the rules page with the interfaces at the top included.

I've seen this on this board a ton, not sure what tutorials you guys are following but you're doing this wrong.
The client interface address should be the correct subnet mask, not a /32. The allowed IP's will be the /32. Specifically 10.0.1.2/32 for you.

Change the peer interface address to a /24.

Post your clients config.
It should look like this:
[Interface]
PrivateKey = [REMOVED]
Address = 10.0.1.2/24

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 10.0.0.0/24, 10.0.1.1/32
Endpoint = [REMOVED]:51820


Quote from: Demusman on February 09, 2023, 12:53:28 AM
I've seen this on this board a ton, not sure what tutorials you guys are following but you're doing this wrong.
The client interface address should be the correct subnet mask, not a /32. The allowed IP's will be the /32. Specifically 10.0.1.2/32 for you.

You keep stating this, but it is just not true in the context of a road warrior type setup where the "clients" are not relaying traffic. Sure, changing to /24 will work too, but using /32 is not the cause of any issue in this case. It's just a red herring.

Couple of other references for your information:

- section 3 of https://wiki.archlinux.org/title/WireGuard

- step 4 of https://github.com/pirate/wireguard-docs#QuickStart

Yeah.... I'd say that's a red herring, and I did try doing that during my troubleshooting, but to no avail. From everything I've looked at, all evidence points to be more likely being a firewall problem since it doesn't even seem to be able to respond back, so maybe it was something I did something wrong there or something that is missing. Which is why I posted in these forums  :)

Can you try to link the images on this forum without having to go to the hosting when clicking? It would help.
You can connect the peer from out to the firewall and the problem is that you can't get to a resource on the LAN once you're connected, right?
Let's clear things a bit. Full configs aren't too easy to read.
We'll need an image of your relevant firewall rules for the interfaces in play.
What will be good to see is the network segment the peer is in, what segment of your internal network you want it to be able to reach and what rules are in place that might allow or prevent it at present.

Yes, that's correct, I can connect and access the internet but can't access LAN. See attached for my LAN and OPT1 (the interface the wireguard and wireguard client is on). My wireguard client is on 10.0.1.2 and I'm trying to access my LAN resource on 10.0.0.30 (10.0.0.0/24 is my LAN).

LAN: (https://i.imgur.com/RaXMxB0.png)

OPT1: (https://i.imgur.com/joP3C2I.png)

Wow! Smaller please.

Fixed. That's why I uploaded them as links at first. This forum doesn't seem to deal with large/hdi images very well  :P

That helps a lot, thanks.
I do think you're missing the part from here https://homenetworkguy.com/how-to/configure-wireguard-opnsense/#optional-add-firewall-rules-to-access-internal-networksdevices
It appears to me you want to create the rules on OPT1 to allow in the traffic. You would do it selectively as per the tutorial but as a blank test you could create the "allow all" rule:
Option   Value
Action   Pass
Interface   OPT1
TCP/IP Version   IPv4
Protocol   any
Source   OPT1 net
Source Port   any
Destination   OPT1 address
Destination Port   any
Description   Allow all access to the WG interface

I tried adding this but no luck, I don't have access to the LAN.

(https://i.imgur.com/fHZGhEP.png)

How do you know you're using the internet through the tunnel when connected?
What test did you do?

Your first rule on the LAN is useless, the OPT can never be a source on the LAN interface.

If you had no rules on the OPT nothing would be allowed on it.

I can see it going through my firewall and packet capture works on it, I stated this earlier and provided a picture.

Network-wise it seems OK at the moment.
Perhaps it's time to verify that indeed there's a response from the end point back to the requesting client.
Since it appears from what I read that you see no returns in your packet captures or firewall logs.
Maybe a different application or the application logs.

What are you trying to access on your LAN?
If you are only trying a single pc the whole time, it may be a software firewall blocking you.

Can you access the routers webgui?

Well I have solved this issue now.

I looked into maybe there being a software firewall, it looks like there wasn't one enabled but I did try to ssh into some other devices on the network, and it appears I could. and I could access the webgui too. So it turns out this one particular vm on my server (the one that happens to have all my services that I'd want to access) had something very, very wrong with it's network configuration. It wasn't able to receive any connections from outside the subnet. I'm not sure exactly what was causing it so I decided to just do a full reinstall and setting up the docker containers once again, everything seems to work.

Thanks for all the help everyone, it helped lead me in the right direction. I appreciate it.

Glad to hear