"
Hi. I need guidance on how to tshoot wireguard configuration and find where the configuration error is. I'm trying to set up a wireguard VPN with the OPNSense firewall as client (initiating) to a public VPN service. When I activate it, the client traffic does not go through and I cannot get any traffic from a laptop to anything outside the local network. I've been going though instruction for days now, but unfortunately there is little information on how to confirm what you have done is correct. I'm missing a "do this and that, and then it should look like this"-guide. I've been following mostly this guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
First off: Is this the right order of operations for traffic flow in OPNSense?
1- Firewall rules on incoming interface
2- Wireguard tunneling
3- Routing
4- NAT (In my case Hybrid)
5- Zenarmor (configured in passive mode currently)
Looking though logs, I can only find a trace of traffic flow for step one above. It seems to hit the right firewall rule, with the wireguard peer as the gateway. But after that I can't really confirm anything nor find any traces in logs - but I'm not sure where to look either.
2- WG tshooting:
The wireguard service is running and wireguard status shows two rows in the table:
Instance: Status Up. Port/endpoint only has a port number. Handshake, Send, Received are all empty.
Peer: No status, Port/Endpoint, Handshake, Send, Received all have values.
Not sure what values to expect in this table.
Firewall -> Diagnostics -> Statistics, interface wg0 shows a bunch of packets passed out, nothing coming back and almost all counters are zero.
3 - Routing tshoot
I have a route configured (floating) and that has logging switched on, but i can't find a trace if log confirming this route is actually used.
Feels like WG config is wrong but I can't figure it out. Any ideas? Preferably on how to verify WG tunnel config.
OPNSense OPNsense 24.1.10_2-amd64
First off: Is this the right order of operations for traffic flow in OPNSense?
1- Firewall rules on incoming interface
2- Wireguard tunneling
3- Routing
4- NAT (In my case Hybrid)
5- Zenarmor (configured in passive mode currently)
Looking though logs, I can only find a trace of traffic flow for step one above. It seems to hit the right firewall rule, with the wireguard peer as the gateway. But after that I can't really confirm anything nor find any traces in logs - but I'm not sure where to look either.
2- WG tshooting:
The wireguard service is running and wireguard status shows two rows in the table:
Instance: Status Up. Port/endpoint only has a port number. Handshake, Send, Received are all empty.
Peer: No status, Port/Endpoint, Handshake, Send, Received all have values.
Not sure what values to expect in this table.
Firewall -> Diagnostics -> Statistics, interface wg0 shows a bunch of packets passed out, nothing coming back and almost all counters are zero.
3 - Routing tshoot
I have a route configured (floating) and that has logging switched on, but i can't find a trace if log confirming this route is actually used.
Feels like WG config is wrong but I can't figure it out. Any ideas? Preferably on how to verify WG tunnel config.
OPNSense OPNsense 24.1.10_2-amd64
