Wireguard Roadwarrior help needed

Started by TripitakaBC, January 02, 2024, 09:20:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2024, 09:20:30 PM Last Edit: January 02, 2024, 09:22:59 PM by TripitakaBC
OPNsense 23.7.10_1
os_wireguard (kernel)

I have been running Wireguard outbound tunnels for a year or more using the tutorial below. It's had its glitches, for sure, especially as I have two tunnels running with PIA, one of which has port forwarding but @FingerlessGloves has done a great job of maintaining the repository with fixes.
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

I have spent the time over the holidays trying to add an incoming WG connection (Road Warrior); I followed the tutorial here https://docs.opnsense.org/manual/how-tos/wireguard-client.html to get everything setup but it didn't work. The Wireguard client on Android gets stuck in handshakes it seems but the diagnostics tab on OPNsense shows no traffic. Of course, I've rebooted and even updated the wg-service-control.php script from the github repo here https://github.com/opnsense/core/blob/master/src/opnsense/scripts/Wireguard/wg-service-control.php.

I'm about as far as I can go with the knowledge that I have and I'm not sure what you guys need in terms of logs to help troubleshoot.

Target:
I'm looking for a few devices to be able to connect to a home LAN system which is spread across 192.168.0.0/16 (I know, I know, I should be using VLANS...). There are 3 Android phones and 3 Windows laptops. All connected clients need access to internal LAN devices and public internet via the firewall.

Tunnel is setup at 10.100.100.1/32 and test Android device is setup at 10.100.100.2/32

Firewall logs do not show any blocking.

All help appreciated.
January 02, 2024, 11:15:18 PM #1
I am no expert but having set up WG on Opnsense recently I will venture a view.

Try setting the tunnel to 10.100.100.0/24

The address range accepted by the instance (tunnel) must encompass all intended or actual peer addresses. Currently you have two single-device networks, .1/32 and .2/32, so they can not see each other. At a minimum the tunnel needs to be .0/4, to make .1 and .2 addresses available at the ends. x.x.x.0/24 is usual, and in the documentation.
Deciso DEC697
January 02, 2024, 11:25:38 PM #2
And then I assume setting the client to 10.100.100.2/24, forcing a 'static' IP on the subnet. That made sense to me too but all the examples and tutorials I could find used /32 as the subnet.

I did manage to get some progress on the initial config once I somehow managed to break the existing WG tunnels so they were both down. Then I started getting traffic from the Android blocked at the firewall.  ;D
January 03, 2024, 12:01:13 AM #3
No, client (peer) remains /32
Deciso DEC697
January 03, 2024, 05:38:03 PM #4
I think at this stage, I must have some corruption going on as there are some things happening that don't line up with the documentation; for instance the automatically-created outbound NAT rules are not being created.

Time for a rebuild from scratch, I think.
January 04, 2024, 02:47:56 PM #5
I'm a little unclear as to how you have things configured.  Once you've rebuilt, can you post your setup information?
Print
Go Up Pages1
User actions