Wireguard Roadwarrior setup not working (unable to complete handshake)

Started by JRC, March 30, 2024, 11:36:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2024, 11:36:15 PM Last Edit: March 31, 2024, 12:32:23 AM by JRC
The client is not able to finish the handshake and I cannot work out why.

I followed the instruction here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I have double and triple checked my settings and they match these settings, but I am unable to connect from any client, I am getting errors about the handshake not completing.

At this point I am at a loss as to what to do to get this working. I am not entirely sure what I need to post here to help work this out.

The interface I created in step 4(a) is called "Wireguard"

Outbound NAT Rule:
Code Select
WAN Wireguard net * * * Interface address * NO Wireguard NAT Rule


WAN Rule:
Code Select
  IPv4 UDP * * WAN address 51820 * * Open Wireguard Port

Wirguard Interface FW Rule:
Code Select
    IPv4 * Wireguard net * * * * * Allow Traffic from Wireguard Clients

Normalization Rule:
Code Select
WireGuard (Group), Wireguard any any Wireguard MSS Clamping IPv4

OpnSense V24.1.4


Any suggestions?


Also, some notes in the documentation:

  • The numbering referenced in the article is wrong. When the instruction reference step 5(a) it actually means 4(a) (I think), this made parsing it pretty difficult.
  • It would be nice if there were some more information about the keys and how to use them and/or how they relate to each other. Step 2 just tells you to insert a public key, and to go to step 7 (doesn't exist) in order to get info on how to generate said key.
  • Step 5a tells you to use the interface Wireguard (Group) instead of the interface you created in step 4(a). Is this correct? (I tried both, but things still don't work)
March 31, 2024, 11:45:58 AM #1
Do you have a public IPv4-address in the first place? If so, log that firewall rule on your WAN and see, if it gets any hits from you.
April 01, 2024, 12:31:06 AM #2
I do have a public IPV4, and the firewall logs where not showing anything from my test setup (hotspot off my phone, also had a public IPV4).

When I tried to access my other services, I could see the traffic flowing (I was filtering by source IP), but when I tried to connect to the VPN I saw nothing.

It's possible that my cell provider is blocking VPN traffic, but I think this is very unlikely (Andoid phone on GoogleFi).
April 01, 2024, 02:59:08 AM #3
Eh, I gave up on this, and just spun up a VM with openVPN on it, and did a port forward. I'll use Firewall rules to control which VLAN/Service/Servers remote clients can and cannot get to.
Print
Go Up Pages1
User actions