OPNsense Forum

English Forums => Virtual private networks => Topic started by: zero on October 22, 2023, 04:26:59 pm

Title: [SOLVED] Need help to set up Wireguard
Post by: zero on October 22, 2023, 04:26:59 pm

Hello,
I'm trying to set up WireGuard with a simple configuration, but I can't figure out what I'm doing wrong. Simply can't get internet access when in the client, WireGuard is turned on.
My topology is simple, I have 2 interfaces LAN1 192.168.1.1 and LAN2 192.168.2.1, and I would like that clients which connected to WireGuard have a LAN2 IP.
I created these firewall rules.
WAN
    Protocol: IPv4 UDP    
    Source: *
    Port: *
    Destination: WAN address    
    Port: 51820    
    Gateway: *
    Schedule: *
WG1 interface
        Protocol: IPv4 *
    Source: WG1 net
    Port: *
    Destination: *
    Port: *
    Gateway: *
    Schedule: *
So after installing the plugin and configured the client I configured instances WireGuard this way
        Name: wg1   
        Device: wg1   
        Tunnel Address: 192.168.2.1/24
        Port: 51820   
        Peers: DEMO-Peer
        Commands:
And Peers
        Name DEMO-Peer
        Endpoint address WAN IP
        Endpoint port 51820   
        Allowed IPs 192.168.2.50
        Commands

When I enable the WireGuard connection from my Demo Peer I can see that the handshake was sent in the tab diagnosis
        Public key: Public key of the peer's interface
        Name: DEMO-Peer
        Port / Endpoint: IP of DEMO-Peer:8020
        Handshake: Connection date
        Send: 1.09 KB   
        Received: 1.20 KB
        
I hope someone could help

         

Title: Re: Need help to set up Wireguard
Post by: Patrick M. Hausen on October 22, 2023, 04:30:31 pm

You need a separate network for your WireGuard clients, e.g. 192.168.3.0/24. WiredGuard is a routed connection, not bridged. You cannot make the clients "appear" on a local LAN.

Title: Re: Need help to set up Wireguard
Post by: CJ on October 22, 2023, 04:32:25 pm

Additionally, you have the client set to only allow access to a single IP.

And you'll want to add KeepAlive 25 to both sides of the config.

Title: Re: Need help to set up Wireguard
Post by: zero on October 22, 2023, 05:01:22 pm

Thank you for all your answers, I've set WireGuard clients to 192.168.10.0/24 and enabled KeepAlive to 25 but same result.
CJ, what do you mean with: "Additionally, you have the client set to only allow access to a single IP."

Title: Re: Need help to set up Wireguard
Post by: Patrick M. Hausen on October 22, 2023, 05:28:06 pm

On OPNsense you set the tunnel address to e.g. 192.168.10.1/24.

On the client you set the tunnel address to e.g. 192.168.10.101/32

On OPNsense you set allowed IPs for that client/peer to 192.168.10.101.

On the client you set allowed IPs to

192.168.10.1 - if you want to talk to OPNsense only.
192.168.10.0/24 - if you want all clients to be able to communicate with each other.

And additionally (!)

192.168.1.0/24
192.168.2.0/24

so the client can talk to your LANs ...

Title: Re: [SOLVED] Need help to set up Wireguard
Post by: zero on October 22, 2023, 05:41:16 pm

Thank you, after the explanation I realized that I had wrong IP on the client.