Yet another wireguard connection problem

Started by finishthepint, June 01, 2025, 06:55:37 PM

Previous topic - Next topic
June 01, 2025, 06:55:37 PM Last Edit: June 05, 2025, 11:21:15 PM by finishthepint
Update for anyone finding this thread: Creating a port forward rule finally made this work for me.  I don't understand why this is needed or what it does differently since no guide i can find calls this out.

I've read every thread I can find here and followed countless guides but I still can't get wireguard in OPNsense working.  I'm trying to setup a simple "Road Warrior" setup so I can access my home network from my phone on the go.  I think my problem is the wireguard traffic isn't getting to the wireguard instance.  If I do 'tcpdump -i igc0 port 51820', I can see traffic when I initiate the connection on my client however if I do 'tcpdump -i wg0', I don't see anything.

Additionally, I tried to look at Firewall -> Logs -> Live View by filtering for wg0 and nothing ever shows up.  I'm very new to opnsense in case it wasn't obvious.

I've tried:
  • Double and triple checked my public/private keys and they match
  • With and without the normalization rule from the official guide
  • Using only the auto-generated outbound rules and creating a manual rule from the official guide
  • Turning "block private networks" on and off in wan settings
  • A variety of private network addresses
  • Creating 'out' rules to mirror the 'in' rules
  • Restarting the wireguard service
  • Different wireguard ports

Included below are screenshots of my configuration.  For what it's worth, I use the peer generator in opnsense.  I will recreate a new instance with new public/private keys after this post.








Just wanted to add that after finding a similar thread (https://www.reddit.com/r/opnsense/comments/1fdprdn/wireguard_server_only_works_when_i_port_forward/), i was able to get things working by creating a port forwarding rule. Now i wish i could figure out why i need to create the port forwarding rule when none of the guides call that out.

You don't need a port forwarding rule, but you need a WAN firewall rule. And the port forwarding rule, probably created a corresponding firewall.



Delete the NAT and create a WAN firewall rule.