Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
remote access mode for Wireguard
« previous
next »
Print
Pages: [
1
]
Author
Topic: remote access mode for Wireguard (Read 3482 times)
md0
Newbie
Posts: 7
Karma: 2
remote access mode for Wireguard
«
on:
April 05, 2021, 11:15:56 am »
Hello,
I'm trying to establish a Wireguard tunnel from a Opnsense machine behind a 4G connection that does not allow to expose ports to the Internet. Therefore, I need to trigger the connection to the remote machine using a random port (dynamic endpoint mode) - however, the GUI does not allow me to save the local configuration without a listening port. Is there any way to force Wireguard into initiating a "client" connection with a remote endpoint?
Thank you!
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
remote access mode for Wireguard
«
Reply #1 on:
April 05, 2021, 11:47:23 am »
Just enter a port even if it won’t be used (eg 51820, 51821 ...). Not used at least for connections initiated from the outside.
«
Last Edit: April 05, 2021, 11:51:42 am by Greelan
»
Logged
md0
Newbie
Posts: 7
Karma: 2
Re: remote access mode for Wireguard
«
Reply #2 on:
April 05, 2021, 12:02:26 pm »
I'm not sure that I understand how this is supposed to work - The remote server will never initiate a connection from the outside, as its peer has no IP address or port. This means that I'll have to start the tunnel from the local machine. How can this happen if Wireguard acts as a server and expects incoming connections on whatever port I declare for the local configuration?
Can I somehow force Wireguard to initiate the tunnel from the local machine?
Thanks
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: remote access mode for Wireguard
«
Reply #3 on:
April 05, 2021, 12:03:44 pm »
Yes, of course, by specifying the IP/domain and port of the endpoint in its configuration
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: remote access mode for Wireguard
«
Reply #4 on:
April 05, 2021, 12:07:04 pm »
Just because you (have to) specify a port in the Local config doesn’t mean that OPNsense will act as a “server”. If the remote machine doesn’t specify the OPNsense IP and port as an endpoint, then it will never initiate a connection to it. OPNsense will always be the one initiating
Logged
md0
Newbie
Posts: 7
Karma: 2
Re: remote access mode for Wireguard
«
Reply #5 on:
April 05, 2021, 12:22:58 pm »
I undertand, though I find the logic a bit confusing - in my particular scenario only one machine can initiate the tunnel. But If I were to have a public IP address, expose whatever port I declared as local to the Internet and expose that info to the remote machine, wouldn''t then both be trying to initiate connections at the same time?
Anyway, I do have the default port entered, and everything is set correctly (IP address/port, keys), yet the tunnel won't come up. Can I find somwhere a log of what Wireguard is actually doing?
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: remote access mode for Wireguard
«
Reply #6 on:
April 05, 2021, 12:26:39 pm »
Have you read the docs? Particularly
https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html
You are probably missing an outbound NAT rule
Logged
md0
Newbie
Posts: 7
Karma: 2
Re: remote access mode for Wireguard
«
Reply #7 on:
April 05, 2021, 12:39:30 pm »
I do have the outbound NAT rule defined, but at this point I would be content if I could get the other endpoint's address to respond to ping. It's hard to understand what's going on without any logs or feedback from the system.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: remote access mode for Wireguard
«
Reply #8 on:
April 05, 2021, 12:41:31 pm »
WG has very little in the way of logging - hence the short codebase lol
Sometimes restarting WG can help
Otherwise post screenshots of your config (local, endpoint, NAT), masking private keys etc
Logged
md0
Newbie
Posts: 7
Karma: 2
Re: remote access mode for Wireguard
«
Reply #9 on:
April 05, 2021, 01:30:37 pm »
Success!
I've managed to get the tunnel up and running by adding a keepalive interval for the remote endpoint.
I don't understand why this is happening, maybe some more experienced can explain this to me...
Anyway, thank you Greelan for your input!
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: remote access mode for Wireguard
«
Reply #10 on:
April 05, 2021, 09:04:03 pm »
See the NAT section here (
https://www.wireguard.com/quickstart/
), which explains it
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
remote access mode for Wireguard