OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Wireguard odd behavior - Default deny rule triggering on some - where is ruleset
« previous next »
  • Print
Pages: [1]

Author Topic: Wireguard odd behavior - Default deny rule triggering on some - where is ruleset  (Read 1694 times)

tedhughes

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Wireguard odd behavior - Default deny rule triggering on some - where is ruleset
« on: September 26, 2021, 06:03:45 pm »
I'm running the latest OPNsense (21.7.3_1 LibreSSL) with the wireguard-go plugin installed.

I'm using WG as a site to site link with a VM running wireguard at a remote datacenter. I was running a VM locally with WG to great success, but with the recent introduction of my new OPNsense hardware firewall, wanted to migrate this endpoint from the local VM to the firewall itself. Got it setup thanks to the docs and various blogs, and thought I was in good shape.

As some point, I was tinkering with things and created an interface assignment for the wg0 interface. From that point on I got into a state where, if I do anything with the interface (enable/disable/assign/unassign), it breaks my WG tunnel, where if I restart the service it will not come back up, until I remove the allowed IPs from the remote endpoint (aka, my remote networks I want to reach over the tunnel). Once I remove all but the /32 private WG IP from my remote endpoint, the tunnel comes back up, and then I can re-add my remote networks to the endpoint. It's all very tempermental.

One thing I'm unclear on is if I need any firewall rules defined for the tunnel. It would appear that almost everything passes, but on one of my remote networks, I get a default deny rule trigger. Yet, on my wireguard ruleset, I have an allow everything inbound. But the live log view shows a default deny rule triggering on the wg0 interface. Since I have since un-done the interface assignment, I cannot filter based on the wg0 interface in the live view.

So - I guess I'm stuck on the relationship of interfaces in WG - how much is done automatically [don't touch it!] - and how much I have control over. I do have a "WireGuard" ruleset, but I don't know if they're being honored. I do see evaluations/states/packets/bytes when inspecting the one allow all rule I've created, so I'm confused on why *anything* would hit the default deny at that point.

Any help or advice would be greatly appreciated. Thanks much!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Wireguard odd behavior - Default deny rule triggering on some - where is ruleset
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2