Wireguard connection ok but no handshake

Started by orsomannaro, December 13, 2022, 05:29:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 13, 2022, 05:29:39 PM Last Edit: December 13, 2022, 05:38:58 PM by orsomannaro
I'm trying to set up a Wireguard VPN. The connection takes place (firewall logs say so) but no handshake occurs with either Ubuntu or Windows client. I made several tests, also manually setting Outbount rules, but without being able to solve.

Note:
- WAN is a hiperlan connection and I manage 8 public IPs (configured as Virtual IPs on OPNsense)
- In the firewall rule for WAN port 51820 I had to set as "Destination" the Alias (PubCloud) of the public IP address used for the VPN connection (otherwise it would not work, probably due to the multiple IPs).

OPNsense config:

I took some screenshots ... I tried to follow the official OPNsense documentation (as well as checking some how-to on the Internet) assigning the wg1 device to an dedicated interface.

VPN:
VPN-WireGuard-local
VPN-WireGuard-endpoint
VPN-WireGuard-status
VPN-WireGuard-handshakes

Interface:
Interfaces-Assignments
Interfaces-WireGuard1
System-Routes-Status

Firewall:
Firewall-Log-port_51820
Firewall-Rules-WAN
Firewall-Rules-WireGuard _Group
Firewall-Rules-WireGuard1

Client config:

[Interface]
Address = 10.10.10.2/32
PrivateKey = YP8<8<8<8<8<8<8<8<8<8<8<8<8<c=

[Peer]
Endpoint = 185.x.x.x:51820
PublicKey = A18<8<8<8<8<8<8<8<8<8<8<8<8<Ww=
AllowedIPs = 10.10.10.0/24, 192.168.0.0/24
PersistentKeepalive = 15

Thanks for any help!
December 15, 2022, 09:31:09 AM #1
Ok... After many attempts, trying to drop and recreate server and endpoints and also using an android client with mobile Internet connection, I give up.

But I would like to test Wireguard as well, so the question is still open for anyone who wants to help me fix it. Thank you.
December 15, 2022, 09:58:30 AM #2
Use tcpdump and watch if packets for port 51820 arrive at your WAN interface ... continue from there.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 15, 2022, 11:23:55 AM #3 Last Edit: December 15, 2022, 03:02:30 PM by orsomannaro
I found the "problem" ...

Using "Packet Capture" (Interfaces->Diagnostics->Packet Capture) I found an OPNsense response from an "unknown" IP and light bulb went on in my head ...

The ISP has given us some public IP addresses that we use for our services. But the router that manages the Hiperlan connection antenna, dynamically assigns (via ppoe) another public IP to the WAN interface of OPNsense, which is the one actually used by WireGuard.

Using this address as peer endpoint in the client configuration (and changing the firewall rule for WAN interface port 51820) the VPN started working.

In order to use one of the virtual public IPs address I think it is necessary not to associate the device to an interface and manually create an Outbound rule that directs the outgoing traffic from the wireguard device to the desired virtual public IP (but I haven't tested it yet ... )
Print
Go Up Pages1
User actions