Can't connect to my own wireguard server

Started by MikeSouth, August 02, 2024, 10:12:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2024, 10:12:35 AM Last Edit: August 02, 2024, 10:34:51 AM by MikeSouth
Hi all, so I somehow can't connect to my own wireguard server (I also can't connect to other servers but debugging is easiest when I control both endpoints) using OPNSense (24.7_9).
I've reinstalled opnsense, just changed the password, updated everything, added DNS servers, enabled the SSH server.
I know that I am missing something super tiny.
Could someone please point me to what I am doing wrong.

This configs works well on clients:
Code Select

[Interface]
PrivateKey = IJGr<CLIENT_PRIV>wfyMUnQ=
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 3lpe2<SERVER_PUB>AJY1gWA=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 85.<SERVER_IP>:51820
PersistentKeepalive = 25

Here are my settings via the WebGUI.
Instances https://i.imgur.com/QyvxN5k.png
Peers https://i.imgur.com/xCobOc2.png
Status https://i.imgur.com/s9xJEZA.png

On the opnsense router I get
Code Select

$ wg
interface: wg0
  public key: /DNH8z<CLIENT_PUB>zYFO9Xs=
  listening port: 42233

peer: 3lpe2<SERVER_PUB>AJY1gWA=
  endpoint: 85.<SERVER_IP>:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 1.01 KiB sent
  persistent keepalive: every 25 seconds

/DNH8z+ld<CLIENT_PUBLIC>YFO9Xs= really is the public-key off IJGrUs<CLIENT_PRIVATE>MUnQ= private key

tcpdump while enabling wireguard on opnsense, igb0 being my WAN interface.
Code Select

# tcpdump -u port 51820 -i igb0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
....
<NOTHING>


When I do a tcpdump on the server (85.*.*.*) on port 51820 I do not get any connections. ens18 being the public interface.
Code Select

$ tcpdump  -u port 51820  -i ens18
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
....
<NOTHING>


In the opnsense firewall Log I see this: https://i.imgur.com/Fdo2J1S.png
Should that be the private address or the WAN interface?

Do to the nature of wireguard it doesn't log anything, here is the log
Code Select

2024-08-02T07:44:11 Notice  wireguard  wireguard instance wireguard02 (wg0) started
2024-08-02T07:44:11 Notice  wireguard  wireguard instance wireguard02 (wg0) can not reconfigure without stopping it first.


Establishing a wireguard tunnel from behind the opnsense router is working well and tcpdump shows a ton off packages, it's not DNS related as the wireguard server IP is hardcoded. So reaching the server isn't a problem, the latency is around 11ms with 0% packet loss.

What am I missing?
August 25, 2024, 04:52:59 PM #1
I was finally able to solve this issue.
You couldn't make this up but setting Allowed_IPs to 0.0.0.0/1 and 128.0.0.0/1 solved this for me.
I couldn't believe it so I started with a fresh install on another router with 0.0.0.0/0, was able to reproduce the problem, after switching to 0.0.0.0/1 + 128.0.0.0/1 the problem was gone, again.
Print
Go Up Pages1
User actions