OPNsense Forum

English Forums => Virtual private networks => Topic started by: lk on July 06, 2022, 11:32:43 am

Title: Weird WG firewall/NAT problems, behavior differs from docs howto
Post by: lk on July 06, 2022, 11:32:43 am

Hi all,

I have a WireGuard road warrior setup with two WG instances, wg0 and wg1. No interfaces are defined for WG because I don't want clients to connect to internet via the tunnel – so just aliases defined. I have set the usual pass rule on WAN for ports 51820-51821 where each of the wg instances listen on, and the further rules to allow the clients to LAN resources. In other words, the service has been configured according to WireGuard Road Warrior Setup (https://docs.opnsense.org/manual/how-tos/wireguard-client.html), but without creating WG interfaces or without outbound NAT rule.

The thing is that wg1 works as expected, but wg0 does not. When I try to connect to wg0, the logs tell me the connection has fallen through and was blocked by the "default deny / state violation" rule. Indeed, firewall logs show me a denied connection from the WG client's external address to the firewall's LAN address. This does not happen with wg1 and the same single WAN rule to allow incoming WG connections on port range 51820-51821 seems to work in wg1's case.

wg0 starts to work when I add a pass rule on WAN with the firewall's LAN address as destination. But this behavior baffles me and makes me concerned. Could anyone help to explain why this happens?

When I checked the wgX config files, they have identical structure with only minor differences. I can't come up with any meaningful difference between the two instances and why the other one works expectedly whereas the other does not.

Code: [Select]

# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = *
Address = 10.x.11.1/24
ListenPort = 51820

[Peer]
PublicKey = *

AllowedIPs = 10.x.11.2/32
PersistentKeepalive = 25

# cat /usr/local/etc/wireguard/wg1.conf
[Interface]
PrivateKey = *
Address = 10.x.12.1/24
ListenPort = 51821

[Peer]
PublicKey = *

AllowedIPs = 10.x.12.2/32


Title: Re: Weird WG firewall/NAT problems, behavior differs from docs howto
Post by: alh on July 19, 2022, 08:20:45 am

Since upgrading to 22.4 I'm experiencing the exact same problem. Did you find a solution?

I just restarted the wireguard-go service from dashboard and it started working. Maybe the service does not initialize correctly (noticed that wg1 was missing before the restart)?

Title: Re: Weird WG firewall/NAT problems, behavior differs from docs howto
Post by: lk on July 23, 2022, 11:13:01 pm

No, unfortunately didn't find why this happens. Currently I don't have too much time to look at it, but I'll update if I figure it out.