[SOLVED] Unable to set allowed IPs to '0.0.0.0' for wireguard client

[Seimus]

If that should be RA, the Address on the client is wrong, it should be /32 example from my client >

Code: [Select]

[Interface]
Address = 10.8.8.2/32
DNS = 10.0.0.14
MTU = 1390
PrivateKey = SUPERSECRFETPRIVATEKEY

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = IP:51820
PublicKey = SUPERSECRFETPUBLICKEY
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#step-2-configure-the-client-peer
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#appendix-example-configurations

P.S. I loaded this config above into my Arch PC connected via Tether to the phone which was on Cell and I had full access to everything per my Rules on WG Interface specified in OPNsense.

Regards,
S.

[cookiemonster]

thanks, that change to /24 was one done yesterday as another attempt to make it work.
I've changed it back to /32 and it is still giving me the trouble. At least I know that this way it "should work".
Also to remove the phone and cell network out of the equation for diagnostics purposes, I remembered I have another ISP data line in the house, so I've been connecting the laptop (the client in this exercise) to that wifi network. It is not a separate WAN into OPN.
I'm still stumped.

[Seimus]

Cookie, out of curiosity, what Linux distro are you running on that laptop/PC you have the WG problem with?

Regards,
S.

[cookiemonster]

Ubuntu linux desktop 22.04. kernel in use is 6.5.0-41-generic
wg-tools is  v1.0.20210914
thanks Seimus

[Seimus]

Cookie, when you bring up the Wireguard VPN up on your Ubuntu laptop, can you bring the tunnel up by the wg quick-up to see what is being configured?

Example >

Code: [Select]

sudo wg quick-up wg0

I guess you are bringing up the WG using network manager in network settings, this is another way to do it. It should print what is being configured on the network stack. And test the connection.

Regards,
S.

[cookiemonster]

There is no available wg plugin for Network Manager on this Ubuntu version, so all is on command. Easy to show you
A bit of a run down of what is happening, especially with the routes before and after bringing the tunnel up:

Code: [Select]

penguin@saturn:~$ ip route
default via 192.168.5.1 dev wlp58s0 proto dhcp metric 600
169.254.0.0/16 dev wlp58s0 scope link metric 1000
192.168.5.0/24 dev wlp58s0 proto kernel scope link src 192.168.5.186 metric 600

Code: [Select]

penguin@saturn:~$ sudo wg-quick up wg0
[sudo] password for penguin:
wg-quick: `wg0' already exists

Code: [Select]

penguin@saturn:~$ sudo wg-quick down wg0
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] nft -f /dev/fd/63

Code: [Select]

penguin@saturn:~$ ip route
default via 192.168.5.1 dev wlp58s0 proto dhcp metric 600
169.254.0.0/16 dev wlp58s0 scope link metric 1000
192.168.5.0/24 dev wlp58s0 proto kernel scope link src 192.168.5.186 metric 600

Code: [Select]

penguin@saturn:~$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.4/32 dev wg0
[#] ip link set mtu 1390 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63

Code: [Select]

penguin@saturn:~$ ip route
default via 192.168.5.1 dev wlp58s0 proto dhcp metric 600
169.254.0.0/16 dev wlp58s0 scope link metric 1000
192.168.5.0/24 dev wlp58s0 proto kernel scope link src 192.168.5.186 metric 600

Code: [Select]

penguin@saturn:~$ nmcli --overview connection show wg0
connection.id:                          wg0
connection.uuid:                        27491c38-6366-433b-913a-6728cdc79fb0
connection.type:                        wireguard
connection.interface-name:              wg0
connection.autoconnect:                 no
connection.timestamp:                   1719830174
ipv4.method:                            manual
ipv4.addresses:                         10.0.0.4/32
ipv6.method:                            disabled
wireguard.private-key-flags:            0 (none)
wireguard.listen-port:                  47700
GENERAL.NAME:                           wg0
GENERAL.UUID:                           27491c38-6366-433b-913a-6728cdc79fb0
GENERAL.DEVICES:                        wg0
GENERAL.IP-IFACE:                       wg0
GENERAL.STATE:                          activated
GENERAL.DEFAULT:                        no
GENERAL.DEFAULT6:                       no
GENERAL.SPEC-OBJECT:                    --
GENERAL.VPN:                            no
GENERAL.DBUS-PATH:                      /org/freedesktop/NetworkManager/ActiveConnection/11
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/Settings/15
GENERAL.ZONE:                           --
GENERAL.MASTER-PATH:                    --
IP4.ADDRESS[1]:                         10.0.0.4/32
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 0.0.0.0, mt = 0, table=51820

Code: [Select]

penguin@saturn:~$ sudo wg showconf wg0
[Interface]
ListenPort = 47700
FwMark = 0xca6c
PrivateKey = AAAAA

[Peer]
PublicKey = BBBBB
AllowedIPs = 0.0.0.0/0
Endpoint = publicip:51820

[Seimus]

This is extremely weird to me,

The config that is pushed when you bring the tunnel UP is correct, so if the rules & config of WG profiles itself, Addresses, Keys between client and OPN are correct this should just work.

I was asking about the wg-quick, because 22.04 has a BUG in the network manager that causes issue for WG.

https://www.reddit.com/r/Ubuntu/comments/wyjpkt/comment/intjnrs/
https://github.com/max-moser/network-manager-wireguard/issues/62
https://github.com/max-moser/network-manager-wireguard/issues/59

At this point, if the config is really correct my only idea would be try it in another distro if you can just for testing purposes (VM or something). To see if its related to Ubuntu specifically.

In regards of wg-tools I use the same version wg-tools is 1.0.20210914-2 on arch with KDE; I just import the profile via KDE in the system settings and it works.

Regards,
S.

[cookiemonster]

Thanks for the input. It might in the end prompt me to upgrade OS version too.

[cookiemonster]

Apologies for the late closure of the thread. I am away still but when I did try to connect, "it worked".
I am using the same mobile phone I was using in preparation with the difference that now it is actually roaming in another European country, not on its home mobile (cellular) network.
Perhaps for my own self reminder, the working config is as follows:

Code: [Select]

[Interface]
Address = 10.0.0.4/32
PrivateKey = AAAAAA
MTU = 1390

[Peer]
#PublicKey = BBBBBB
#This one below is the server's public key
PublicKey = CCCCC
#AllowedIPs = <Networks to which this client should have access>/<Netmask>
#             // For example "10.11.0.0/24, 192.168.1.0/24"
#             //               |             |
#             //               +--> The network area of the OPNsense WireGuard VPNs
#             //                             |
#             //                             +--> Network behind the firewall
AllowedIPs = 0.0.0.0/0
#Endpoint = <Public IP of the OPNsense firewall>:<WireGuard Port>
Endpoint = endpoint:portThanks to all the helpful souls that got me here.

[Seimus]

Awesome,

Happy to see you got your working state conclusion.

Regards,
S.