Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: rpn on September 02, 2025, 10:35:35 AM

Title: WireGuard Road Warrior Setup
Post by: rpn on September 02, 2025, 10:35:35 AM
I saw open questions about the WireGuard handshaking here, so I decided to share my experience.

As a newbie, I did a model of a VPN concept on my laptop under VirtualBox with a Linux client and OPNsense as WireGuard server. I followed the WireGuard Road Warrior Setup (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) instructions 1:1, but I encountered difficulties in the handshaking between the client and the WireGuard server.

After some experimentation, I found out that the obstacle was the interface-specificity of the firewall WAN rule (step 5). After moving of the WAN rule to Firewall‣Rules‣Floating, without specifying an interface, the handshaking worked perfectly.

Interesting, the problem exist only for the first connection attempt – after a successful handshaking (by the above change of the rules) the restored original rules work also till disabling and enabling of the peer. I suspect an inability of the WireGuard interface to respond to the handshaking due to an incorrectly constructed state, but this is far beyond my knowledge. Any interface-specific test rules of type "all enabled" didn't help.

Please comment. Maybe there is a more appropriate solution to the problem as my.
Title: Re: WireGuard Road Warrior Setup
Post by: Patrick M. Hausen on September 02, 2025, 12:45:35 PM
I fail to see how a WAN rule might not work when the road warrior device is "outside" the local network on the Internet. Are you trying to establish the tunnel while the device is "inside"? Why?
Title: Re: WireGuard Road Warrior Setup
Post by: rpn on September 02, 2025, 03:24:09 PM
Quote from: Patrick M. Hausen on September 02, 2025, 12:45:35 PMAre you trying to establish the tunnel while the device is "inside"
Of course not. The configuration is a virtual Suse machine working as client and connecting the WAN interface of the virtual OPNsense. The device "inside" is the physical host with Suse again. I also fail to see a reason and this is the reason for my asking...

To be clear - the rule setting in "Step 5 - Create firewall rules" (Firewall ‣ Rules ‣ WAN) avoids the handshaking, the same rule moved to "Floating" works.
Title: Re: WireGuard Road Warrior Setup
Post by: Patrick M. Hausen on September 02, 2025, 03:29:04 PM
OK, so your WAN is an Ethernet and not a point-to-point link like PPPoE? And the OPNsense and the client share that Ethernet with the Internet default gateway?

--> Firewall > Settings > Advanced > Disable reply-to [X]

If you need reply-to for multi-WAN, you can also disable it selectively for your inbound Wireguard rule on WAN.

HTH,
Patrick
Text only | Text with Images