OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: csmall on July 19, 2019, 04:32:53 am

Title: [Solved] Need help with wireguard
Post by: csmall on July 19, 2019, 04:32:53 am
I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.




Title: Re: Need help with wireguard
Post by: Headologic on July 19, 2019, 09:21:10 am
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.
Title: Re: Need help with wireguard
Post by: mimugmail on July 19, 2019, 09:22:10 am
You need to troubleshoot at OPNsense while you are connected. Check if packets arrive and try to ping Tunnel address of Firewall while checking Firewall logs
Title: Re: Need help with wireguard
Post by: mimugmail on July 19, 2019, 09:23:10 am
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

And be sure to label the assigned Interface not WireGuard ;)
Title: Re: Need help with wireguard
Post by: csmall on July 19, 2019, 12:16:28 pm
The interface is named opt2 for wg0.

I tried pointing the wg0 server address from the Android client and I looks like it is blocked in the firewall log?

filterlog: 11,,,0,wg0,match,block,in,4,0x0,,64,18553,0,DF,1,icmp,84,172.16.5.2,172.16.5.1,datalength=64
Title: Re: Need help with wireguard
Post by: csmall on July 19, 2019, 12:18:28 pm
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

Where did you add the rule and what are the rule details. I think this is my problem.
Title: Re: Need help with wireguard
Post by: csmall on July 19, 2019, 12:22:55 pm
Nevermind. I found it. I added an any any permit rule to opt2 interface and now traffic is flowing. I can ping opnsense up and wireguard server up from the client now.

I can also reach the internet through the tunnel. Thanks!!
Title: Re: Need help with wireguard
Post by: mimugmail on July 19, 2019, 01:42:04 pm
Hooray!  8)
Title: Re: Need help with wireguard
Post by: csmall on July 19, 2019, 06:00:28 pm
Thanks again for all your hard work on this and other plugins
Title: Re: Need help with wireguard
Post by: csmall on July 20, 2019, 03:32:00 pm
Thanks again for all your hard work on this and other plugins

It all of the sudden just stopped working. I can't understand why. I tried rebooting opnsense and the Android device. I haven't changed any settings other than adding another endpoint device. I will test that one in a few minutes and see if it works.

I also noticed that while I added the any any rules to the opt2 interface (wg0) and everything started flowing.. there is also now wireguard listed under firewall rules and it had no rule.. so I added an any any rule there just now and it didn't make a difference.

It worked all day yesterday and stopped sometime late last night
Title: Re: Need help with wireguard
Post by: csmall on July 20, 2019, 03:38:52 pm
So I just confirmed that the second client I added still works. The first device is an android phone and it worked and then stopped. The second device is a laptop which is tethered to the Android device (without wireguard running of course) and it connects and traffic flows as expected.
So odd.
Title: Re: Need help with wireguard
Post by: mimugmail on July 20, 2019, 06:25:15 pm
So, both are working or not?
Title: Re: Need help with wireguard
Post by: mimugmail on July 20, 2019, 09:11:04 pm
maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826
Title: Re: Need help with wireguard
Post by: csmall on July 20, 2019, 09:40:31 pm
maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826

Switching the endpoints on the server to /32 seems to have resolved the issue! /32 actually makes more sense to me me and I never understood why all the articles I saw used /24.

I didn't change the client to /32 but I will try that anyway I guess because it just sounds right.

But thank you, your link seems to have solved the problem.
Title: Re: Need help with wireguard
Post by: mimugmail on July 20, 2019, 10:11:28 pm
I'll recheck our docs tomorrow. Was also not aware of this. Glad it works now