The client is not able to finish the handshake and I cannot work out why.
I followed the instruction here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I have double and triple checked my settings and they match these settings, but I am unable to connect from any client, I am getting errors about the handshake not completing.
At this point I am at a loss as to what to do to get this working. I am not entirely sure what I need to post here to help work this out.
The interface I created in step 4(a) is called "Wireguard"
Outbound NAT Rule:
WAN Wireguard net * * * Interface address * NO Wireguard NAT Rule
WAN Rule:
IPv4 UDP * * WAN address 51820 * * Open Wireguard Port Wirguard Interface FW Rule:
IPv4 * Wireguard net * * * * * Allow Traffic from Wireguard Clients Normalization Rule:
WireGuard (Group), Wireguard any any Wireguard MSS Clamping IPv4 OpnSense V24.1.4
Any suggestions?
Also, some notes in the documentation:
- The numbering referenced in the article is wrong. When the instruction reference step 5(a) it actually means 4(a) (I think), this made parsing it pretty difficult.
- It would be nice if there were some more information about the keys and how to use them and/or how they relate to each other. Step 2 just tells you to insert a public key, and to go to step 7 (doesn't exist) in order to get info on how to generate said key.
- Step 5a tells you to use the interface Wireguard (Group) instead of the interface you created in step 4(a). Is this correct? (I tried both, but things still don't work)
Do you have a public IPv4-address in the first place? If so, log that firewall rule on your WAN and see, if it gets any hits from you.
I do have a public IPV4, and the firewall logs where not showing anything from my test setup (hotspot off my phone, also had a public IPV4).
When I tried to access my other services, I could see the traffic flowing (I was filtering by source IP), but when I tried to connect to the VPN I saw nothing.
It's possible that my cell provider is blocking VPN traffic, but I think this is very unlikely (Andoid phone on GoogleFi).
Eh, I gave up on this, and just spun up a VM with openVPN on it, and did a port forward. I'll use Firewall rules to control which VLAN/Service/Servers remote clients can and cannot get to.