"
I followed this guide to set up Wireguard on OPNSense. I was able to successfully connect to the VPN both from my Android phone and from my Macbook. However, a couple of days ago, something has changed and, whenever either client tries to access the Internet via this VPN, the requests fail.
Debugging information:
No logs for "wireguard" or "wg0" in Log Files in OPNSense GUI. I've tried restarting the Wireguard plugin but it didn't fix the issue.
Given that `/usr/local/etc/rc.d/wireguard status` shows recent handshakes, I believe that the clients are connecting _to_ the VPN but then failing to connect out to the wider Internet, but I'm not sure why - in particular, the Outbound NAT rule and Firewall rules still appear to be correct.
Any debugging suggestions gratefully received!
Debugging information:
Code Select
// Commands on OPNSense
# grep -irl 'wireguard' /var/log
/var/log/audit/audit_20220605.log
/var/log/audit/latest.log
/var/log/audit/audit_20220423.log
/var/log/audit/audit_20220424.log
/var/log/pkg/pkg_20220423.log
/var/log/pkg/latest.log
# grep -ir 'wireguard' /var/log/audit/latest.log
/var/log/audit/latest.log:<37>1 2022-06-05T20:07:02-07:00 OPNsense.avril audit 83763 - [meta sequenceId="1"] user root@192.168.1.101 changed configuration to /conf/backup/config-1654484822.5635.xml in /api/wireguard/general/set
/var/log/audit/latest.log:<37>1 2022-06-05T20:08:05-07:00 OPNsense.avril audit 83763 - [meta sequenceId="1"] user root@192.168.1.101 changed configuration to /conf/backup/config-1654484885.8788.xml in /api/wireguard/general/set
#grep -ir 'wireguard' /var/log/pkg/latest.log
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:18-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="2"] wireguard-tools-1.0.20210914_1 installed
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:18-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="3"] wireguard-go-0.0.20220316_1,1 installed
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:25-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="1"] os-wireguard-1.10 installed
# /usr/local/etc/rc.d/wireguard start // from https://forum.opnsense.org/index.php?topic=14279.0
wg-quick: `wg0' already exists
# /usr/local/etc/rc.d/wireguard status
interface: wg0
public key: SqSsD[REDACTED]
private key: (hidden)
listening port: 51822
peer: tt5su[REDACTED] // Macbook
endpoint: 172.58.32.150:48561
allowed ips: 10.10.10.3/32
latest handshake: 3 minutes, 31 seconds ago
transfer: 109.77 KiB received, 494.89 KiB sent
peer: 8AJ96[REDACTED] // Android phone
endpoint: 172.58.31.71:50324
allowed ips: 10.10.10.2/32
latest handshake: 5 minutes, 58 seconds ago
transfer: 109.46 KiB received, 130.67 KiB sent
# curl ifconfig.io
135.180.218.171
# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = [REDACTED]
Address = 10.10.10.1/24
ListenPort = 51822
[Peer]
PublicKey = tt5su[REDACTED]
AllowedIPs = 10.10.10.3/32
[Peer]
PublicKey = 8AJ96[REDACTED]
AllowedIPs = 10.10.10.2/32
---
// Interface definition on Android
Interface:
Name: [REDACTED]
Public Key: 8AJ96[REDACTED]
Addresses: 10.10.10.2/32
Peer:
Public Key: SqSsD[REDACTED]
Allowed IPs: 0.0.0.0/0
Endpoint: vpn.scubbo.org:51822
---
$ nslookup vpn.scubbo.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: vpn.scubbo.org
Address: 135.180.218.171
No logs for "wireguard" or "wg0" in Log Files in OPNSense GUI. I've tried restarting the Wireguard plugin but it didn't fix the issue.
Given that `/usr/local/etc/rc.d/wireguard status` shows recent handshakes, I believe that the clients are connecting _to_ the VPN but then failing to connect out to the wider Internet, but I'm not sure why - in particular, the Outbound NAT rule and Firewall rules still appear to be correct.
Any debugging suggestions gratefully received!
