"
Hi,
I'm fairly new to networking and OPNsense, and I'm stuck with my WireGuard setup. I can not get handshake. I've been troubleshooting step by step for a while and would really appreciate some guidance.
My setup
ISP router:
OPNsense VM running on Proxmox:
WireGuard config in OPNsense
Firewall rules:
NAT:
Outbound NAT in hybrid mode → rule: WireGuard net → WAN → interface address
Peer (phone) config
[Interface]
[Peer]
What works
So port forwarding is working and OPNsense is receiving the packets.
What does NOT work
Things I have already tried
Where I'm stuck
Packets from the phone reach OPNsense WAN, but WireGuard never replies. I cannot get a handshake, so no LAN or internet access through the tunnel.
What else could cause OPNsense to silently drop incoming WireGuard handshake packets, even when the peer is linked, keys match, and packets clearly arrive at the WAN interface?
Thanks in advance for any help!
I'm fairly new to networking and OPNsense, and I'm stuck with my WireGuard setup. I can not get handshake. I've been troubleshooting step by step for a while and would really appreciate some guidance.
My setup
ISP router:
- 192.168.1.1
- Port forward on ISP router:External port: 51820 → Internal IP: 192.168.1.3 (OPNsense WAN) → Protocol: UDP
NAT loopback disabled,
OPNsense VM running on Proxmox:
- WAN (vtnet0) → bridged to Proxmox vmbr0 (connected directly to ISP router), IP: 192.168.1.3
- LAN (vtnet1) → vmbr1 → 192.168.10.1
- Proxmox firewall disabled for this VM
WireGuard config in OPNsense
- Instance:
- Listen port: 51820
- Interface address: 10.10.10.1/24
- Peer (my phone) is selected/linked
- Peer (phone):
- Public key matches phone
- Allowed IPs: 10.10.10.2/32
Firewall rules:
- WAN: allow UDP/51820 to WAN address
- WG interface: allow any from WireGuard net to any
NAT:
Outbound NAT in hybrid mode → rule: WireGuard net → WAN → interface address
Peer (phone) config
[Interface]
- Private key = phone's key
- Address = 10.10.10.2/32
- DNS = 10.10.10.1
[Peer]
- PublicKey = server instance public key
- Endpoint = myDDNS:51820 (DDNS points to correct WAN IP)
- AllowedIPs = 0.0.0.0/0, ::/0
- PersistentKeepalive = 25
What works
- DDNS resolves to correct WAN IP.
- From outside (mobile data), packets arrive at OPNsense WAN (confirmed with Packet Capture). Example:
- 46.122.x.x.33494 > 192.168.1.3.51820: UDP, length 148
So port forwarding is working and OPNsense is receiving the packets.
What does NOT work
- No handshake shown in OPNsense (empty "Last handshake").
- On the phone, only "sent bytes" increment, "received" stays 0.
- No access to LAN or internet through the tunnel.
Things I have already tried
- Verified peer is linked to instance.
- Double-checked all public/private keys (QR import).
- Allowed IPs set correctly on both sides.
- PersistentKeepalive = 25 on phone.
- Checked system clock (NTP enabled, time is correct).
- Verified NAT outbound rule exists for WireGuard net → WAN.
- Proxmox VM networking: VirtIO NICs, bridged to vmbr0 (WAN) and vmbr1 (LAN). No NAT mode. Proxmox firewall disabled.
Where I'm stuck
Packets from the phone reach OPNsense WAN, but WireGuard never replies. I cannot get a handshake, so no LAN or internet access through the tunnel.
What else could cause OPNsense to silently drop incoming WireGuard handshake packets, even when the peer is linked, keys match, and packets clearly arrive at the WAN interface?
Thanks in advance for any help!
