20.7.1-amd64 wireguard does not start anymore

Started by ednt, August 29, 2020, 09:40:02 PM

Previous topic - Next topic
Quote from: ednt on August 31, 2020, 06:03:42 PM
Yes, that the LAN interface.

But in the configuration of wireguard, this addresses are only available as allowed ip address at the endpoints.
Not all networks allewd networks are visible as route.
And there is nothing changed at the configuration.
But I'll try now to change the order of the addresses, that always the 10... is the first allowed address.
Maybe it helps.

Why should WireGuard set a Route to your local LAN via WireGuard Interface? In which documentation did you read to put your local networl in endpoint section?

September 01, 2020, 10:26:25 AM #16 Last Edit: September 01, 2020, 10:54:42 AM by ednt
If I configure wireguard, I have nothing todo with routes. This is done by wireguard (or OPNsense).

As I understood wireguard, you have to add all IPs which should go through the tunnel to 'Allowed IPs'
Else you have only a connection between the tunnel IPs.

This is also written in the help to 'Allowed IPs':
QuoteList of addresses allowed to pass trough the tunnel adapter.

And I tested this already in 20.1.7, if I don't add the LAN IPs to the 'Allowed IPs', I can not communicate between any home PC and the company LAN.
And since this was working for over half a year, I think and thought that this is correct.

The only thing I did manually was to set outbound NAT rules.


Btw.: I also never created an interface for wireguard. If this is really needed, the configuration of the wireguard plugin should do this.

No, on your phone or PC you set the remote IPs in AllowedIP, on the Server, you configure an endpoint and ONLY the IP/32

September 01, 2020, 02:33:05 PM #18 Last Edit: September 01, 2020, 02:38:02 PM by ednt
Ok, wireguard is back to life.

Thank you for the clarification.

But the help text of 'Allowed IPs' should be changed.
To reflect what is to put inside if the connection is as server or as client.

Multiple addresses should be only allowed if an 'Endpoint address' is given which is not allowed to be an address of the OPNsense itself.

And it should be possible to enter an IP address at 'local' where the stuff is bind to.
So it would be possible to run it on Master/Slave OPNsense with CARP, if you enter the VIP address.

Currently it's: List of addresses allowed to pass trough the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.

Maybe it could be: List of destinations allowed to pass trough the tunnel adapter. Please use CIDR notation like 10.0.0.1/32.