WireGuard Road Warrior Setup instructions incomplete?

Started by paranerd, May 30, 2023, 10:19:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2023, 10:19:12 AM
Hi all,

I just entered the world of OPNsense a couple of weeks ago, so there's still plenty to learn and I feel I will be spending a lot of time in these forums ;D

Something I've been struggling with for a couple of days now is properly setting up WireGuard.
I followed the official guide (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) (multiple times^^) and yesterday I FINALLY got it to work.
However, this required adding firewall rules to the "WireGuard Group". I was under the impression that I would ONLY need those if I didn't assign the interface (which I did). Without the rules in the group I can connect (and see a handshake) but can't go anywhere.

Is there something I'm missing / misunderstanding here?

Thanks for any guidance :D
May 30, 2023, 11:51:31 AM #1
It is working just fine without any rules on that group so you must have made a mistake before.
May 30, 2023, 02:37:08 PM #2
There must be at least one allow rule for WG to have connecitivity. It doesn't matter if the rule is created on WG group or interface. However, assigning an interface will give the possibility to add the rule(s) to specific tunnel and you are free to choose where to place them.
Finally, and this is what the guide states: Adding interfaces will free you from the need of adding outbound NAT (v4) [step 5a+b], but not from adding rules that will allow WG to do anything [step 6].
Step 6 also clearly states in note:
QuoteIf you didn't assign an interface as suggested in Step 5(a), then the second firewall rule outlined above will need to be configured on the automatically created WireGuard group that appears once the Local configuration is enabled and WireGuard is started.
i am not an expert... just trying to help...
May 31, 2023, 10:16:07 AM #3
Don't know what to say... Tried this multiple times before without any luck and now it simply just worked. I'm completely baffled^^
Thanks for the support, I guess ;D!
May 31, 2023, 10:30:48 AM #4
...more likely than not: typo, somewhere... ;-)

VPN is a hell of its own...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
May 31, 2023, 10:50:30 AM #5 Last Edit: May 31, 2023, 10:54:50 AM by Ricardo
Sorry to deliver the bad news, but documentation is the weakest part of opnsense. So it will be always this forum, where people keep asking the same (or very similar)  questions over and over and over and over. Because the docs repository is both outdated, and lacks proper explanations. Only some basic screenshots are provided, with some non-real-life example config, and no reasons behind. (I am talking only ahout the VPN section, but experience tells that any other sections may be also behind the current state). So you will have to use the unorganized forum topics for the futile effort to find the 1 single post that answers your question.
There are only 2 commercial books that you can buy for money on the market that is dedicated to opnsense. Neither do cover the entire VPN topic in true great deep details, so if you only have problems with the vpn part of opnsense, it will be waste of money to buy them.
May 31, 2023, 10:53:51 AM #6
For this case, WG documentation is fine so far, for me there is nothing to misunderstand.

However, everyone is free to work on the docs :)
i am not an expert... just trying to help...
Print
Go Up Pages1
User actions