WireGuard Road Warrior Setup

Started by rpn, September 02, 2025, 10:35:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 02, 2025, 10:35:35 AM
I saw open questions about the WireGuard handshaking here, so I decided to share my experience.

As a newbie, I did a model of a VPN concept on my laptop under VirtualBox with a Linux client and OPNsense as WireGuard server. I followed the WireGuard Road Warrior Setup instructions 1:1, but I encountered difficulties in the handshaking between the client and the WireGuard server.

After some experimentation, I found out that the obstacle was the interface-specificity of the firewall WAN rule (step 5). After moving of the WAN rule to Firewall‣Rules‣Floating, without specifying an interface, the handshaking worked perfectly.

Interesting, the problem exist only for the first connection attempt – after a successful handshaking (by the above change of the rules) the restored original rules work also till disabling and enabling of the peer. I suspect an inability of the WireGuard interface to respond to the handshaking due to an incorrectly constructed state, but this is far beyond my knowledge. Any interface-specific test rules of type "all enabled" didn't help.

Please comment. Maybe there is a more appropriate solution to the problem as my.
September 02, 2025, 12:45:35 PM #1
I fail to see how a WAN rule might not work when the road warrior device is "outside" the local network on the Internet. Are you trying to establish the tunnel while the device is "inside"? Why?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 02, 2025, 03:24:09 PM #2
Quote from: Patrick M. Hausen on September 02, 2025, 12:45:35 PMAre you trying to establish the tunnel while the device is "inside"
Of course not. The configuration is a virtual Suse machine working as client and connecting the WAN interface of the virtual OPNsense. The device "inside" is the physical host with Suse again. I also fail to see a reason and this is the reason for my asking...

To be clear - the rule setting in "Step 5 - Create firewall rules" (Firewall ‣ Rules ‣ WAN) avoids the handshaking, the same rule moved to "Floating" works.
September 02, 2025, 03:29:04 PM #3
OK, so your WAN is an Ethernet and not a point-to-point link like PPPoE? And the OPNsense and the client share that Ethernet with the Internet default gateway?

--> Firewall > Settings > Advanced > Disable reply-to [X]

If you need reply-to for multi-WAN, you can also disable it selectively for your inbound Wireguard rule on WAN.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions