OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: csmall on July 19, 2019, 04:32:53 am
-
I used the doc here to configure wireguard.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.
What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.
I configured the client to use 0.0.0.0/0 for allowed ip's.
On the endpoint config I have allowed ip's set to the client_ip/24
I added the interface wg0 to assignments and enabled it with prevent removal.
I added the NAT rule for outbound NAT
I created the WAN firewall rule
I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.
-
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.
-
You need to troubleshoot at OPNsense while you are connected. Check if packets arrive and try to ping Tunnel address of Firewall while checking Firewall logs
-
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.
And be sure to label the assigned Interface not WireGuard ;)
-
The interface is named opt2 for wg0.
I tried pointing the wg0 server address from the Android client and I looks like it is blocked in the firewall log?
filterlog: 11,,,0,wg0,match,block,in,4,0x0,,64,18553,0,DF,1,icmp,84,172.16.5.2,172.16.5.1,datalength=64
-
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.
Where did you add the rule and what are the rule details. I think this is my problem.
-
Nevermind. I found it. I added an any any permit rule to opt2 interface and now traffic is flowing. I can ping opnsense up and wireguard server up from the client now.
I can also reach the internet through the tunnel. Thanks!!
-
Hooray! 8)
-
Thanks again for all your hard work on this and other plugins
-
Thanks again for all your hard work on this and other plugins
It all of the sudden just stopped working. I can't understand why. I tried rebooting opnsense and the Android device. I haven't changed any settings other than adding another endpoint device. I will test that one in a few minutes and see if it works.
I also noticed that while I added the any any rules to the opt2 interface (wg0) and everything started flowing.. there is also now wireguard listed under firewall rules and it had no rule.. so I added an any any rule there just now and it didn't make a difference.
It worked all day yesterday and stopped sometime late last night
-
So I just confirmed that the second client I added still works. The first device is an android phone and it worked and then stopped. The second device is a laptop which is tethered to the Android device (without wireguard running of course) and it connects and traffic flows as expected.
So odd.
-
So, both are working or not?
-
maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826
-
maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826
Switching the endpoints on the server to /32 seems to have resolved the issue! /32 actually makes more sense to me me and I never understood why all the articles I saw used /24.
I didn't change the client to /32 but I will try that anyway I guess because it just sounds right.
But thank you, your link seems to have solved the problem.
-
I'll recheck our docs tomorrow. Was also not aware of this. Glad it works now