OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: allebone on November 29, 2021, 05:07:31 pm

Title: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 29, 2021, 05:07:31 pm

Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Steve79 on November 30, 2021, 12:04:04 pm

Hey,

i have a road warrior setup and can ping my clients, depending on which source net i ping from. I would say, you need to provide more information on your specific setup and where you want to ping your clients from, e.g. ping from opnsense fails or LAN net, did you setup the optional NAT from the guide, what firewall rules in and out WG and so on. The guide does not cover all, its more of point to start with in my opinion, even the proposed outgoing rule makes no choice of the destination:

Code: [Select]

Specify the IPs that client peers should be able to access, eg “any” or specific IPs/subnets
Can you provide more information?

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 12:29:28 pm

I think it likely comes down to the Allowed IPs in the config on the client. I can also ping fine from local IPs that are within the Allowed IPs - I wouldn’t expect otherwise, as WG on the client should drop packets from sources that are not in Allowed IPs

Alternatively, it is a firewall issue on OPNsense, ie rules aren’t in place to allow the pings

The outbound NAT rule won’t affect this

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 02:12:46 pm

Ok thank you for replying. Its appreciated you took the time to think about it.

With regards to my setup it is as follows. However at this exact moment its a little different as last night I did a load of testing (all made no difference) where I tired adding gateways, disabling automatic routes, adding manual routes, trying different things on outbound nat, removing interfaces adding interfaces etc. However seems like there is zero difference regardless what I do.

When you follow the opnsesne wireguard roadwarrior guide you end up with the auto generated wireguard interface and another one you make that if you look in interfaces - overview has the IP address you set under local- tunnel address.

So for example my LAN is 192.168.2.0/24 and the local tunnel address of WG interface is 192.168.200.1/24.

A client connects and is assigned an IP like 192.168.200.10/32 (ie by wireguard config).

So what is working? So basically everything important. The firewall itself can ping the 192.168.200.10 and the client on 192.168.200.10 can access any lan device and ping any lan device or the firewall on both 192.168.200.x range and 192.168.2.x range (so LAN and WG ranges work from the connecting roadwarrior side essentially).

However the LAN clients cant ping a wg ip. So for example if I am on a pc with 192.168.2.12 as its IP behind the firewall I cant ping 192.168.200.1 (the firewalls wg IP). I also cant ping 192.168.200.10 (A clients IP over the wg tunnel). I believe services cant be accessed either (eg I cant telnet to 192.168.100.10 on port 80).

So the traffic from LAN - a wireguard IP does not work. Im not sure if this is by design or not. Is it possible you are not allowed to try ping these IP's as they are exclusively for only clients on the WG tunnel? I assumed the firewall could or would know how to route a packet around its own interfaces to be able to reply to a ping but maybe I am wrong. I am using the kernel version of WG if that makes a difference. It could be I am expecting something that is not really designed to work.

P

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 08:18:38 pm

Post details of your WG configs and firewall rules. As two of us have said, we can access WG clients, so there is no design stopping that and something with your setup is preventing it. You need to provide that information in order to troubleshoot

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:15:27 pm

OK!

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:16:33 pm

And realize some rules are not needed - I was testing as it does not work.

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:19:02 pm

From Opnsense no issue pinging the wg clients or itself. Also the WG clients can access anything and ping anything. I didnt bother getting a ss of that.

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:20:41 pm

For clarification:

192.168.2.0/24 - internal LAN

192.168.200.0/24 - Wireguard IP Range.

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 09:32:02 pm

And the WG configs on the clients?

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:47:29 pm

Most are on the road but I have my phone here:

The allowed ips are:
192.168.200.0/24, 192.168.2.0/24, 0.0.0.0/0

Have to do 1 ss at a time. I have one more to post after.

P

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 09:48:25 pm

Sorry if I made the previous one too small. I can post again if need be.

Here is second.

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 10:08:51 pm

Im really sorry I found my issue. I wish I could delete this post. I found a firewall rule that was blocking it that was created in a semi dynamic way. I have multiple vlans and had created a rule to prevent communication between vlans a while back and it was blocking the traffic. Once I saw this and added an allow rule above it for the WG network it started working fine. Sorry man I dont think I can delete threads but I would as its been a waste of time for you.

Hope its not a big deal.

Pete

Title: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 10:12:11 pm

What’s the fourth screenshot (“FW Rule”)? And what rules do you have on LAN?

BTW, the Allowed IPs on the iPhone is a bit redundant.   If you are sending all traffic down the tunnel you don’t need the specific subnets. If you only want the specific subnets, remove 0.0.0.0/0

Edit: lol, just saw your latest post. Yep, that would do it! Hence my original point about FW rules

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 10:25:52 pm

Actually one thing I noticed if I dont add the specific subnets is if I happen to go to a network (eg: coffee shop) that has the same range as my home (192.168.2.0/24 is common unfortunately) then I cant get back to my home network. The 0.0.0.0 is so all traffic is sent down the tunnel.

Luckily if you add the 2 routes they get a lower metric (higher priority) (eg adding 192.168.2.x and 192.168.200.x on the iphone allowed ips) and so long as the firewall or gateway at the coffee shop is not 192.168.2.2 (my opnsense firewall IP on the LAN) then I can still connect back home despite the network overlapping.

Thanks anyway for your help.

Pete

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 10:47:35 pm

Really? That sounds odd to me. By the same logic, just using 0.0.0.0/0 as Allowed IPs should have the same routing priority. I’m pretty sure I have observed this behaviour - ie if I connect to an external VPN while on my LAN, I can’t access my LAN if all traffic is configured to go over the tunnel

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: allebone on November 30, 2021, 10:55:59 pm

Its ios specific I believe. I have tested this at a nearby location that has the same lan range as my local lan network. Without this setup I cant access anything on the 192.168.2.0 range as it sends it local to the coffee shop. Adding in the additional range in allowed ips sends everything over the tunnel except the default gateway of the coffee shop which is 192.168.2.1. I can make a video from my phone on Saturday showing this working if you want as I can go past but not before then unfortunately.

Title: Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
Post by: Greelan on November 30, 2021, 10:57:39 pm

I don’t need a video. My observation was on an iPhone too . I can do some further testing later