Print Page - [Help] OPNsense WireGuard on Proxmox – packets arrive but no handshake

Title: [Help] OPNsense WireGuard on Proxmox – packets arrive but no handshake
Post by: nekacasa on September 15, 2025, 09:54:39 AM

Hi,

I'm fairly new to networking and OPNsense, and I'm stuck with my WireGuard setup. I can not get handshake. I've been troubleshooting step by step for a while and would really appreciate some guidance.

My setup
ISP router:

192.168.1.1
Port forward on ISP router:External port: 51820 → Internal IP: 192.168.1.3 (OPNsense WAN) → Protocol: UDP
NAT loopback disabled,

OPNsense VM running on Proxmox:

WAN (vtnet0) → bridged to Proxmox vmbr0 (connected directly to ISP router), IP: 192.168.1.3
LAN (vtnet1) → vmbr1 → 192.168.10.1
Proxmox firewall disabled for this VM

WireGuard config in OPNsense

Instance:
- Listen port: 51820
- Interface address: 10.10.10.1/24
- Peer (my phone) is selected/linked
Peer (phone):
- Public key matches phone
- Allowed IPs: 10.10.10.2/32

Firewall rules:

WAN: allow UDP/51820 to WAN address
WG interface: allow any from WireGuard net to any

NAT:

Outbound NAT in hybrid mode → rule: WireGuard net → WAN → interface address

Peer (phone) config

[Interface]

Private key = phone's key
Address = 10.10.10.2/32
DNS = 10.10.10.1

[Peer]

PublicKey = server instance public key
Endpoint = myDDNS:51820 (DDNS points to correct WAN IP)
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

What works

DDNS resolves to correct WAN IP.
From outside (mobile data), packets arrive at OPNsense WAN (confirmed with Packet Capture). Example:
46.122.x.x.33494 > 192.168.1.3.51820: UDP, length 148

So port forwarding is working and OPNsense is receiving the packets.

What does NOT work

No handshake shown in OPNsense (empty "Last handshake").
On the phone, only "sent bytes" increment, "received" stays 0.
No access to LAN or internet through the tunnel.

Things I have already tried

Verified peer is linked to instance.
Double-checked all public/private keys (QR import).
Allowed IPs set correctly on both sides.
PersistentKeepalive = 25 on phone.
Checked system clock (NTP enabled, time is correct).
Verified NAT outbound rule exists for WireGuard net → WAN.
Proxmox VM networking: VirtIO NICs, bridged to vmbr0 (WAN) and vmbr1 (LAN). No NAT mode. Proxmox firewall disabled.

Where I'm stuck

Packets from the phone reach OPNsense WAN, but WireGuard never replies. I cannot get a handshake, so no LAN or internet access through the tunnel.

What else could cause OPNsense to silently drop incoming WireGuard handshake packets, even when the peer is linked, keys match, and packets clearly arrive at the WAN interface?

Thanks in advance for any help!

OPNsense Forum

English Forums => Virtual private networks => Topic started by: nekacasa on September 15, 2025, 09:54:39 AM