Some troubles with my wireguard setup - changes between 19.1 and 19.7?

Started by Dark-Sider, August 06, 2019, 11:42:38 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 01, 2019, 07:16:34 AM #15
Can you follow the guides in official docs? There is a step by step Guide for this. Disables routes is for Advanced users, dont use it for starting. Also allowed IPs in local looks wrong.
January 02, 2020, 11:03:44 AM #16 Last Edit: January 02, 2020, 11:06:31 AM by ric91
Maybe my experiences can be useful as I done a lot of testing witihn the last weeks with Wireguard and iOS devices.

I set up my OPNsense firewall ( version 19.7.8 ) as shown on the manual and couldn't get the all-traffic-thing running. I've done a lot of debugging and found the wg0-interface gone as soon as I assign the interface as shown in step 2c at the manual.

Let me be a bit more detailed. My transfer network is 10.10.10.0 for Wireguard. My local part has 10.10.10.1 as an ip address. The iOS device is on 10.10.10.2.
My internal LAN network is 192.168.10.0.
I can ping 10.10.10.1 and 10.10.10.2 at the firewall, also paket tracing is possible, so I assume routing works.
When I enable the first step in 2c (assigning an interface) the routing stops. I can no longer ping any of the 10.10.10-addresses.
So I skip the first step in step 2c (assigning an interface to wg0) and all is working fine.

The setup now looks as follows:

Local Configuration:
Name: HomeCloud
Public Key: <Server Public Key>
Private Key: (hidden)
Listen Port: 51820
DNS Server: 192.168.10.1
Tunnel Address: 10.10.10.1/24
Peers: <Client 1>
Disable Routes: <Unchecked>

Endpoint:
Name: <Client 1>
Public Key: <Client 1 Public Key>
Allowed IPs:
10.10.10.2/32 - <Client 1 Address>

List Configuration Output:
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: <Client 1 Public Key>
  allowed ips: 10.10.10.2/32

Client Settings (Phone):
Interface
Name: HomeCloud
Public Key: <Client Public Key>
Addresses: 10.10.10.2/32
DNS Servers: 192.168.10.1

Peer
Public Key: <Server Public Key>
Endpoint: vpn.example.com:51820
Allowed IPs: 192.168.10.0/24,0.0.0.0/0
Persistent Keepalive: off

Firewall
NAT -> Port Forward
NO RULES

NAT -> Outbound
WAN   WireGuard net   *  *  *   WAN address   *   NO   Wireguard_Outbound

Rules -> WAN
IPv4   UDP  *  *   WAN address   51820  *  *   Wireguard_Inbound

Interfaces
No interface setup for wg0

System -> Gateway -> Single
No gateway set

So notice the differences, marked as underlined above.
Additionally do not use 0.0.0.0 as a address range at the Allowed IPs within the endpoint configuration, this will route all your firewall traffic to your endpoint.
Print
Go Up Pages 1 2
User actions