Messages

That worked, thanks!

Ran that command but still no traffic, only the successful handshake.

Edit: Actually looks like no handshake now.

Hello,

I had set up a functional wireguard config in a "road warrior" scenario. It no longer works after the required reboot of today's update to 18.7.9. it looks like the handshake is successful but I can't ping anything or resolve DNS.

interface: wg0
  public key: hCHSYE6ljF608lc58piqyhxdfRFl5Ydd2p0Umj1vHk4=
  private key: (hidden)
  listening port: 51820

peer: 6gmHy2Vg5BB6u6iUw3LAlPA7YNT8g0Ub2zPbyk5MUDc=
  endpoint: 174.192.0.178:8088
  allowed ips: 192.168.2.2/32
  latest handshake: 11 minutes, 39 seconds ago
  transfer: 4.64 KiB received, 96 B sent

peer: u5EqdHj1Ifdlbx5/PihyegJGuYA5R988yO/H/t0IEwA=
  allowed ips: 192.168.2.3/32

ifconfig:

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1492
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether 3e:b3:55:3d:41:28
hwaddr 3e:b3:55:3d:41:28
inet6 fe80::3cb3:55ff:fe3d:4128%vtnet0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether ea:34:e0:7a:43:84
hwaddr ea:34:e0:7a:43:84
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::e834:e0ff:fe7a:4384%vtnet1 prefixlen 64 scopeid 0x2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 0.0.0.0 maxupd: 128 defer: off
ovpnc1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun openvpn
pppoe1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1484
inet6 fe80::86d:e850:f8da:454e%pppoe1 prefixlen 64 scopeid 0x8
inet 71.181.122.57 --> 10.10.10.10  netmask 0xffffffff
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ztanv9hnl3qfnl8: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 5000 mtu 2800
options=80000<LINKSTATE>
ether aa:62:f1:6c:f7:d7
hwaddr 00:bd:4d:d9:f7:09
inet6 fe80::2bd:4dff:fed9:f709%ztanv9hnl3qfnl8 prefixlen 64 scopeid 0x9
inet 192.168.191.1 netmask 0xffffff00 broadcast 192.168.191.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
groups: tap
Opened by PID 84763
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 192.168.2.1 --> 192.168.2.1  netmask 0xffffff00
inet6 fe80::86d:e850:f8da:454e%wg0 prefixlen 64 scopeid 0xa
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun
Opened by PID 9 

No .. this is experimental .. a NAT on WireGuard group interface and translated address the tunnel address should be fine too

Ok I'll wait until 0.3 if my settings look good to you I'll rule user-error out. Thanks for the help and work you are doing!

Best is to way until tomorrow, then you'll get 0.3 with 18.7.2.
In principle it's the same setup as https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/ but you have to use your own keys.

In that link it says to create an interface bound to wg0 but disable it and lock it. Should I do that?

Do you host WireGuard on your OPNsense and want to route your Android in your LAN, but not VPN as default gateway, right?

I think so. My OPNsense box is 192.168.1.1 with all local machines on this same subnet, the tunnel address is 192.168.100.1 listening on 51820, and my phone is 192.168.100.2. I want to be able to access everything on the 192.168.1.0 network as well as get out to the internet through my home internet connection to bypass my mobile ISP (don't want split tunneling). I'm not sure what other addresses I should have added to the settings to enable this routing so I put 192.168.100.1/24 in the WireGuard tunnel address. In the endpoints I have my phone's public key and 192.168.100.2/24,192.168.1.0/24 as the addresses. On the phone's interface settings I have 192.168.100.2/24, 192.168.1.0/24. In the peer I have allowed IPs 0.0.0.0/0, ::/0. In my OPNsense NAT port forwarding I allowed any source to WAN Address on port 51820 to forward to 192.168.100.1. In my firewall rules on the WireGuard interface I put a rule to allow everything (necessary?). Do I need a rule on the LAN interface?

Right now I can't ping to or from the phone when connected but my firewall logs show everything on wg0 being blocked (ports 53, 443, etc) by the default deny rule. From the OPNsense shell I ran tcpdump -i wg0 and could see activity from my phone's 192.168.100.2 address so I'm thinking I just screwed up or omitted something from my firewall rules since it's showing up in the log as blocked. Would my WAN interface having "block private networks" enabled affect anything?

@mimugmail should I stop trying to get 0.1 to work? I can't figure it out and was wondering if it's a bug that will be fixed. I can ping the client from the server but not the other way around. The client is also not routing out to the internet. Afaik I have the firewall rules figured out yet the logs show DNS requests are being blocked by the default rule. I'd love a quick road warrior guide vs the S2S config.