OPNsense Forum

English Forums => Virtual private networks => Topic started by: fat_flying_pigs on March 17, 2023, 10:41:12 am

Title: WG handshake not completing when using 2nd router behind opnsense
Post by: fat_flying_pigs on March 17, 2023, 10:41:12 am

Hi there, I'm new to opnsense and am slowly re-building my network. My setup currently works with normal internet. It uses two routers, one Opnsense for my homelab stuff, and one tplink for my roommate / general wifi use. This is a drawn image of my network: (see first attachment below)

I have managed to set up and correctly use WG with my phone using cell data. It also work if I tether my laptop to my cell data. However, when I connect either of them to the wifi, WG will fail to handshake, retrying every 5 seconds.

I've examined the logs and I'm not really sure where or why it's failing. I changed the dns on the wg client to use 8.8.4.4, and logs show it properly going out:

(see second attachment below)

Logs don't show anymore information, at least from what I can gather. The VPN -> Wireguard -> Status does show the transfer numbers increasing for both received and sent. So I'm thinking maybe for some reason the data is getting dropped?

Code: [Select]

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  preshared key: (hidden)
  endpoint: 10.121.4.7:49543
  allowed ips: 10.120.2.7/32
  transfer: 127.04 KiB received, 78.97 KiB sent

Lastly here are my relevant interface firewall rules:

(see third attachment below)

Any advice would be appreciated! I've been trying most everything I can think of with no success, thanks!

Title: Re: WG handshake not completing when using 2nd router behind opnsense
Post by: TheAutomationGuy on March 17, 2023, 08:54:16 pm

I'm not sure if this is the only problem, but it doesn't look like you have added the 192.168.0.1 network as an allowable network in the wireguard set up.

Title: Re: WG handshake not completing when using 2nd router behind opnsense
Post by: Amr on March 18, 2023, 10:25:25 am

Usually to keep your sanity you want to run from NAT not use it ;D (may I ask why did you enable NAT on the TP-link?, U already have a VLAN -NAT doesn't mean security- )
Well back to your question if you want to access your wireguard server from within the network (LAN side), then you can either use

• Use NAT reflection:https://docs.opnsense.org/manual/nat.html (https://docs.opnsense.org/manual/nat.html) ( an explanation here : https://www.reddit.com/r/PFSENSE/comments/fp9h1f/can_someone_explain_to_me_what_is_nat_reflection/ (https://www.reddit.com/r/PFSENSE/comments/fp9h1f/can_someone_explain_to_me_what_is_nat_reflection/))
• or you can use spilt-horizon DNS (External queries are replied to with the public ip, while the internal queries with the private ip, u can achieve this with unbound's override -given that you have a public domain ofcourse-)