Wireguard "Road Warrior" Setup - connects, can access Internet, but not LAN

[jworcutt]

Hi everyone.

I am trying to set up Wireguard as a "Road Warrior" set up.  I would like to use it to access my home network both for accessing the LAN, as well as routing internet traffic.

Prior to setting up Wireguard, I had a LAN on 10.7.22.1/24, and an IOT VLAN on 10.7.24.1/24

I have set up the wireguard server now on 10.7.32.1/24 following the "Road Warrior" guide.  I have set up the wg0 on interface "HomeWireGuard"

After setting up the instance and peer, and the client on my windows laptop, I set up the firewall on WireGuard to pass everything.

I am able to connect.  I can access external websites.  I can access the Opnsense web ui on 10.7.32.1 . However I cannot access any devices on the LAN.

I am not sure what I am doing wrong!  Any help would be appreciated.

[jworcutt]

Attaching my firewall config

[jworcutt]

Wireguard config

[zan]

You need to allow traffic from WG to your LAN.
Add a pass rule for HomeWireGuard source on your LAN.

[jworcutt]

Thank you for the reply.

I just added this rule under my LAN interface rules, Pass in, HomeWireGuard Net source, LAN net destination.

Did not work.

[meyergru]

How could it if it does not reach the LAN network in the first place? You should add the rule for the wireguard network interface group or the wireguard interface itself, not the LAN interface, because that traffic does not originate from the LAN interface.

[jworcutt]

Thank you for your response!

I have added now both a pass in, and pass out rule on the wireguard interface, source HomeWireGuard net, destination LAN net.

This did not work.

[meyergru]

Are you sure that traffic even passes your wireguard network? Usually, you setup IPs that may access that network by specifying the tunnel network and both ends.

As already said, you almost never have to specify "out" rules on the firewall.

I would allow anything (i.e. 0.0.0.0/0) on the wireguard interface, turn on logging for those rules and if it works, inspect the passing packets to see they adresses. You can always tighten the rules later on.

[jworcutt]

Thank you so much for your help.

I think I figured out the problem - I was trying to test out the VPN from the network itself and this was confusing windows.

I took your suggestion and put up a pass all rule and turned logging on.  I could see the traffic going to the internet, and I could ping the router from the VPN address, but pings to any on the LAN were not even showing up.  I figured how could that be, like they were not even making it to the router.

My guess is the laptop being on the local network, has a 255.255.255.0 netmask or something, and so the traffic was trying to go directly or something? And the 0.0.0.0/0 Allowed IPs on the wireguard was preventing it from going through?

Either way, testing it from another network I could indeed get to devices on my LAN.  Problem solved.

Sorry for the poor technical knowledge! Thank you again community for your help!

[verulian]

Unfortunately this guide (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) needs some updating. The step numbers are off in at least 3 or 4 places and screenshots and values are no longer congruent with the system. Things are not sufficiently clear or delineated since this is a stepwise treatment.

[Patrick M. Hausen]

I think I figured out the problem - I was trying to test out the VPN from the network itself and this was confusing windows.

This does fundamentally not work for any VPN protocol/technology/product. You cannot test a VPN connection that is supposed to provide access to "inside" via the Internet if you are connected to "inside".

(yes, fellow network pros, there are edge cases ... not relevant for the average user)

You must use a separate "outside" connection.

Any suggestion about where to put that simple "trueism" in the docs?