[SOLVED] Need help to set up Wireguard

Started by zero, October 22, 2023, 04:26:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 22, 2023, 04:26:59 PM Last Edit: October 22, 2023, 05:40:31 PM by zero
Hello,
I'm trying to set up WireGuard with a simple configuration, but I can't figure out what I'm doing wrong. Simply can't get internet access when in the client, WireGuard is turned on.
My topology is simple, I have 2 interfaces LAN1 192.168.1.1 and LAN2 192.168.2.1, and I would like that clients which connected to WireGuard have a LAN2 IP.
I created these firewall rules.
WAN
   Protocol: IPv4 UDP    
   Source: *
   Port: *
   Destination: WAN address    
   Port: 51820    
   Gateway: *
   Schedule: *
WG1 interface
        Protocol: IPv4 *
   Source: WG1 net
   Port: *
   Destination: *
   Port: *
   Gateway: *
   Schedule: *
So after installing the plugin and configured the client I configured instances WireGuard this way
        Name: wg1   
        Device: wg1   
        Tunnel Address: 192.168.2.1/24
        Port: 51820   
        Peers: DEMO-Peer
        Commands:
And Peers
        Name DEMO-Peer
        Endpoint address WAN IP
        Endpoint port 51820   
        Allowed IPs 192.168.2.50
        Commands

When I enable the WireGuard connection from my Demo Peer I can see that the handshake was sent in the tab diagnosis
        Public key: Public key of the peer's interface
        Name: DEMO-Peer
        Port / Endpoint: IP of DEMO-Peer:8020
        Handshake: Connection date
        Send: 1.09 KB   
        Received: 1.20 KB
       
I hope someone could help

         
October 22, 2023, 04:30:31 PM #1
You need a separate network for your WireGuard clients, e.g. 192.168.3.0/24. WiredGuard is a routed connection, not bridged. You cannot make the clients "appear" on a local LAN.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 22, 2023, 04:32:25 PM #2
Additionally, you have the client set to only allow access to a single IP.

And you'll want to add KeepAlive 25 to both sides of the config.
October 22, 2023, 05:01:22 PM #3
Thank you for all your answers, I've set WireGuard clients to 192.168.10.0/24 and enabled KeepAlive to 25 but same result.
CJ, what do you mean with: "Additionally, you have the client set to only allow access to a single IP."
October 22, 2023, 05:28:06 PM #4
On OPNsense you set the tunnel address to e.g. 192.168.10.1/24.

On the client you set the tunnel address to e.g. 192.168.10.101/32

On OPNsense you set allowed IPs for that client/peer to 192.168.10.101.

On the client you set allowed IPs to

192.168.10.1 - if you want to talk to OPNsense only.
192.168.10.0/24 - if you want all clients to be able to communicate with each other.

And additionally (!)

192.168.1.0/24
192.168.2.0/24

so the client can talk to your LANs ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 22, 2023, 05:41:16 PM #5
Thank you, after the explanation I realized that I had wrong IP on the client.
Print
Go Up Pages1
User actions