WireGuard road warrior, no connection. Two servers.

[tuomas]

I'm trying to setup wireguard access from my phone to my lan. I got it working previously when it was the only wireguard server on opnsense. I followed this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-client.html.

I then removed to it to setup wireguard connection to Torguard server: https://forum.opnsense.org/index.php?topic=20403.0.

Maybe it's because now there are two wireguard interfaces: wg0 and wg1. wg0 is used by my torguard vpn and wg1 is this new one for my phone. When i check Wireguard --> List cofiguration, there is only wg0, which i use to connect my NAS to Torguard vpn.

Should the wg1 interface be used in firewall rules somehow? 

[tuomas]

And i have assigned and enabled wg1 interface.

[Greelan]

You likely need a firewall rule incoming on wg1 from your phone’s tunnel IP to your LAN

[tuomas]

OK, now i see both wg0 and wg1 instances under Wireguard --> List cofiguration. The trick was to reboot my router.

I have set wg port 51821 for my phone wg settings under wireguard --> local. I have used this port for firewall --> nat --> "port forward" configuration. For both "Destination port range" and "Redirect target port" settings. Otherwise these settings follow this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-client.html step 2b.

Under Firewall --> Rules --> WireGuard i have followed above tutorial and used "WireGuard net" as source.

There's a hint on that tutorial that says:

Rules defined under Firewall ‣ Rules ‣ WireGuard take precedence over rules individually configured for each tunnel.

So sounds like this should work, even if i'm not using wg1 as the source.

However, i can't connect to my lan.

I have tried fiddling with wg1 interface in different places but haven't got connection working.

[Greelan]

Try manually specifying the tunnel network as the source in the firewall rule, rather than using “WireGuard net”. When I set mine up, I found that alias didn’t work. It may have been because I didn’t bother assigning an interface to the wg device. Or there could be a bug so that it affects you too.

Failing that, suggest you post screenshots of the relevant settings pages, sanitised as necessary. Easier to diagnose any issues.

[tuomas]

Try manually specifying the tunnel network as the source in the firewall rule, rather than using “WireGuard net”. When I set mine up, I found that alias didn’t work. It may have been because I didn’t bother assigning an interface to the wg device. Or there could be a bug so that it affects you too.

Failing that, suggest you post screenshots of the relevant settings pages, sanitised as necessary. Easier to diagnose any issues.

I have already assigned wg1 to interface WG1. So i cannot specify it manually.

Here's my current wg config. I have setup port 51821 for my phone's connection.

Code: [Select]

# wg show
interface: wg0
  public key: bhl3WDz2EdVsuPuT9sEM9Rnh2RDjc+mbzEz9F5AeRXo=
  private key: (hidden)
  listening port: 51820

peer: p+tDrxzGx4R9xG0kw6i4K8wYWE8fqNdqSJvB30MgWRY=
  endpoint: 91.233.116.229:1443
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 13 seconds ago
  transfer: 883.44 KiB received, 930.11 KiB sent
  persistent keepalive: every 25 seconds

interface: wg1
  public key: Bqx05LwlkAgrDVfvcxOGPRDOBxk18iG6wGsr0kDerHg=
  private key: (hidden)
  listening port: 51821

peer: j1l15iWrXORJGdbjLZyInfLbYSHmWUS3mEU6KS5Yai4=
  allowed ips: 10.10.10.2/32
And handshakes:

Code: [Select]

wg0 p+tDrxzGx4R9xG0kw6i4K8wYWE8fqNdqSJvB30MgWRY= 1608057665
wg1 j1l15iWrXORJGdbjLZyInfLbYSHmWUS3mEU6KS5Yai4= 0

[tuomas]

Here are some screenshots.

192.168.1.1 is my router's LAN IP.

[Greelan]

I have already assigned wg1 to interface WG1. So i cannot specify it manually.

Sure you can. Either create an Alias for the VPN network (10.10.10.0/24) and use that as the Source in the firewall rule, or select "Single Host or Network" as the Source and enter the network there.

Also, if you have assigned an interface to wg1 (you've called it WG1?), then you should probably be creating the firewall rule on that interface, rather than on the automatically created "WireGuard" interface. Although as I said, my setup works fine without an interface being manually assigned to the wg device.

You also don't need a Port Forward rule. Although that should still work, all you need instead is a rule on the WAN interface allowing UDP packets from any source destined to the WAN IP on port 51821. Port forwards are when you are trying to send packets on to a host that is behind the firewall.

You haven't given me all the details of the WireGuard config on either OPNsense or your phone, but this is what I would think it should look like:

On OPNsense:

Local:
Public Key: [as generated by OPNsense]
Private Key: [as generated by OPNsense]
Listen Port: 51821
Tunnel Address: 10.10.10.1/24
Peer: [name of phone endpoint]

Endpoint:
Public Key: [from interface config on your phone]
Allowed IPs: 10.10.10.2/32

On your phone:

Interface:
Private key: [as generated on your phone]
Public key: [as generated on your phone]
Addresses: 10.10.10.2/24

Peer:
Public key: [from OPNsense local config]
Endpoint: [public IP of OPNsense]:51821
Allowed IPs: 192.168.1.0/24

[tuomas]

Thank you Greelan, now it seems to be working! 

• created an alias for my phone's VPN network
• created a firewall rule for WG1 interface. There i used this new alias as source
• created a rule on the WAN interface allowing UDP packets from any source destined to the WAN IP on port 51821

Attached are screenshots of these rules.

[Greelan]

Nice