Hey together,
yesterday I updated my Sense to the newest version, in OPNsense 24.1.2 I had problems to configure Wireguard.
Also in the newest version it seems that there isn't a way to get road warrior running.
This is my Network Diagram:
<code>
WAN / Internet
:
: Cable ISP Vodafone
:
.-----+-----.
| Gateway | (CableModem,FritzBox 6660 in Bridge Mode)
'-----+-----'
|
WAN (DHCPv4/v6 from ISP)
|
.-----+------. Wifi Network (Fritzbox 7590 as AP)
| OPNsense| +-----------------+ AP | +----------------+ WG0
'-----+------' 192.168.12.0/24 10.10.10.1/24
| |
LAN | 192.168.11.0/24 WG0 Client
| 10.10.10.3/32
.-----+------.
| LAN-Switch |
'-----+------'
|
...-----+------... (Clients/Servers)
</code>
The Problem is, that there isn't any Handshake or connection Possible, I configured it also via Shell with qrencode on Mac to make the configuration for Peers easier.
On my Phone there is the following configured:
Interface:
Name: wg0 (same as for the Interface)
Address: 10.10.10.3/32
ListenPort: 54168
DNS servers: 10.10.10.1
PEER:
Public Key and Preshared Key configured in Shell with wg genpsk, umask 077 && wg genkey > wg-private-client.key and wg pubkey < wg-private-client.key > wg-public-client.key
Endpoint: (I use my DynDns):51820
Allowed IPs: (at first for testing) 0.0.0.0/0, ::/0
I have test it already to configure it over the WEBUI, but here are also some weird problems since 24.1.2 which are weirder since I updated in the newest version.
The Firewall Rules are based on the OPNSense Road Warrior Setup, I tested it with settings on a newly created interface and also without.
Also I removed the complete configuration many times and began from scratch (with newly installed OPNSense and also without, with installing a Backup and without).
So Guys what do you think where my Problem is, do I have any things missed?
0.0.0.0/24, ::/0 ?
That does not explain the missing handshake, though.
Ahh my mistake I mistyped it in my thread
no one?
Quote
Interface:
Name: wg0 (same as for the Interface)
Address: 10.10.10.3/32
ListenPort: 54168
DNS servers: 10.10.10.1
Perhaps this is the issue?
If address is supposed to be your "Tunnel Address", you need to use the CIDR of the network such as /24 for example.
Quote from: xpendable on March 08, 2024, 10:41:49 PM
Perhaps this is the issue?
If address is supposed to be your "Tunnel Address", you need to use the CIDR of the network such as /24 for example.
Interesting, normally I configure this on *nix systems, also I have this on a dedicated linux wireguard server.
From my Documentation I wrote myself, this is a config use für create a client-server situation.
## create wg0.conf
nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <site-1 private-key>
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
[Peer]
PublicKey = <site-2 public-key>
AllowedIPs = 10.0.0.0/24, 192.168.178.0/24
PersistentKeepalive = 25
--> site 2 (client)
## create wg0.conf
[Interface]
PrivateKey = <site-2 private-key>
Address = 10.0.0.3/32
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <site-1 public-key>
Endpoint = <FQDN>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
As you can see, normally you use the address for the peer in this.
Never had any issues with that, also on my client-server situation I can reach everything (as far as configured) in my own network.
So no this couldn't be the issue.
CIDR Notation in /24 means at least you can use 254 Hosts in that Subnet,
/32 means that this is only one Host :) but it should work with that because this is the IP Adress for only the one peer host, not for the complete Subnet, the Subnet is Configured on the Interface.
ok I tested out everything I could do.
There isn't any way to get a Handshake.
On a newly installed freebsd on my home server I get it working without any issues, it appears to anything wrong in the implementation of wireguard on opnsense.
I check my config against https://www.wireguardconfig.com
changed the IPs on both the Interface and the Peer, also on the Peer Client.
When I do the same thing on freebsd everything is working fine.
Also on Debian and ubuntu aren't any problems.
My Config looks as follows (the keys aren't my own ones I changed them):
IP Address 10.10.10.1/24
Listen Port 51820
Private Key QIV5wu64Glh3/Syt0U0NdTu7MbVvzUZyJBteh4Q8tmE=
Public Key rtt+4VUSAWTIrrK7AUnmNd2ZNEXJprEuoKwMK9VLxAk=
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = QIV5wu64Glh3/Syt0U0NdTu7MbVvzUZyJBteh4Q8tmE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = VSGoFG/UE+Ugm8gp2hD7z0tVwGzRiRXBZfZqon7Wlgg=
PresharedKey = Kq6uGyzyRkwky6hBVW3U3V1A527x23Rofg4zcpsY8WE=
AllowedIPs = 10.10.10.2/32
[Peer]
PublicKey = Ebfe34PwJoCCr+JzuUmG9vy2e92ztLwxeQqQLzQe8w4=
PresharedKey = elKugATBxLtju/iRZmcvE8uw/OA9/w4c5PrJNE7Mjec=
AllowedIPs = 10.10.10.3/32
[Peer]
PublicKey = JYrJilAF+rIwCzXyBNtoSBEsMwk9/s2/gYG1jrrp0CM=
PresharedKey = yl+uZskags/LhP84HJdGEbPyBrQufSw1EzbQeAUWH+Q=
AllowedIPs = 10.10.10.4/32
Client 1
IP Address 10.10.10.2/24
Listen Port 51820
Private Key oHAYuOvZoRhZm0OiF9ppi+MR7bW7BRCjvKQe0PsgcU8=
Public Key VSGoFG/UE+Ugm8gp2hD7z0tVwGzRiRXBZfZqon7Wlgg=
[Interface]
Address = 10.10.10.2/24
ListenPort = 51820
PrivateKey = oHAYuOvZoRhZm0OiF9ppi+MR7bW7BRCjvKQe0PsgcU8=
DNS = 10.10.10.1
[Peer]
PublicKey = rtt+4VUSAWTIrrK7AUnmNd2ZNEXJprEuoKwMK9VLxAk=
PresharedKey = Kq6uGyzyRkwky6hBVW3U3V1A527x23Rofg4zcpsY8WE=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820
There's nothing wrong with it.
Also I tried different configurations in OPNSense it self, with an wgX Interface Assignment, and without.
With Hybrid NAT Outgoing Rules for the wgX Interface and also the Wireguard (Group) net Interface.
Also only one of them.
I added the necessary Firewall Rules for the Interfaces and also DNS.
I added ipv4 and ipv6 Normalisation Rules also only one of them and / or both equally.
I added the Unbound ACL Rules also for ipv4 and ipv6 and only one of them (tested without ipv6 and with).
Before I forget it, I tried also installing 24.1.3_1 from scratch, without suricate, crowdsec and any other security enhancements like Floatings Rules etc.
Also on a clean install there isn't a handshake.
I think there is something wrong with the Update, I also tried an older version 24.1 and there's no problem to get it running.
OK fuck damn shit ;) I got it.
Doesn't really know why I need cidr /24 net on my device. normally I give on my client /32, why I need a /24 as @xpendable said, I didn't really understand, never done that before and it was working????
@xpendable forget what I talk about