Wireguard Selective Routing!

[chucklessduck]

Ok, so I was following the selective routing guide for Wireguard. I have followed every step but for some reason, I get odd network login errors when the VPN is enabled. I have put all of the info in the attachments. This issue is really pulling my hair out any help would be great.

The Guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

I did a traceroute on my ISP modems address and my wireguard address and both came back. But when I do the trace on google I get nothing.

[chucklessduck]

Here are my configs for the other stuff in the guide. Wireguard is working and I have tested it.

[imolaspin]

I have the exact same output from following the exact same guide! My gut is DNS somehow but not sure where its falling down

[Greelan]

Easy to test if it is DNS by doing a traceroute to 8.8.8.8

[imolaspin]

Hi Greelan,
It certainly would appear to be DNS from traceroute but I'm not sure how to troubleshoot the WG configuration/rules to work around it; output below.

#Not in VPN Alias
username:$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8., 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  8.225 ms  1.449 ms  1.417 ms #OPNSense
 2  172.22.0.1 (172.22.0.1)  8.687 ms  8.385 ms  8.262 ms
 3  ISP (IP Address)  10.872 ms  10.697 ms  9.949 ms
 4  ISP (IP Address)  10.341 ms  11.581 ms  10.005 ms
 5  ISP (IP Addres)  10.025 ms  9.979 ms  10.008 ms
 6  74.125.51.92 (74.125.51.92)  12.206 ms  10.523 ms  10.002 ms
 7  * * *
 8  dns.google (8.8.8.  13.176 ms  9.384 ms
    142.250.230.160 (142.250.230.160)  9.966 ms
#VPN Alias
username:$ traceroute to 8.8.8.8 (8.8.8., 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  8.630 ms  2.213 ms  1.968 ms #OPNSense
 2  * * *
 3  * * *
 <> Snip
63  * * *
64  * * *

WG appears up:
 allowed ips: 0.0.0.0/0
  latest handshake: 6 seconds ago
  transfer: 461.95 KiB received, 1.34 MiB sent

Any advice you can offer me?

[Greelan]

Looks like the traceroute is just timing out after OPNsense so seems something more than just DNS

[imolaspin]

The only place my config differs from the linked guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html is in the DNS config for the gateway, monitor IP is different to the VPN endpoint (I cant get any traffic so can't test that first hop) and my private networks alias only includes the following, 192.168.0.0/16 as my network is quite small.

There seems to be something commonly misconfigured between the OP and my setup, do you have any guesses as to what it might be?

[imolaspin]

So I tried expanding the RFC to include all private networks, that made no difference.

What is really, really weird here is that whilst I can't browse the web, but I can ping OPNSense and the VPN DNS server.

Signal messenger, manages to get messages out - appears to be the only application, no clue how that is working!

[imolaspin]

bump

[sanshinron]

Try setting MTU and MSS clamping on your wireguard interface to 1420.