[Solved] Need help with wireguard

Started by csmall, July 19, 2019, 04:32:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 19, 2019, 04:32:53 AM Last Edit: July 23, 2019, 04:33:48 AM by csmall
I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.




July 19, 2019, 09:21:10 AM #1
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.
July 19, 2019, 09:22:10 AM #2
You need to troubleshoot at OPNsense while you are connected. Check if packets arrive and try to ping Tunnel address of Firewall while checking Firewall logs
July 19, 2019, 09:23:10 AM #3
Quote from: Headologic on July 19, 2019, 09:21:10 AM
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

And be sure to label the assigned Interface not WireGuard ;)
July 19, 2019, 12:16:28 PM #4
The interface is named opt2 for wg0.

I tried pointing the wg0 server address from the Android client and I looks like it is blocked in the firewall log?

filterlog: 11,,,0,wg0,match,block,in,4,0x0,,64,18553,0,DF,1,icmp,84,172.16.5.2,172.16.5.1,datalength=64
July 19, 2019, 12:18:28 PM #5
Quote from: Headologic on July 19, 2019, 09:21:10 AM
Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

Where did you add the rule and what are the rule details. I think this is my problem.
July 19, 2019, 12:22:55 PM #6
Nevermind. I found it. I added an any any permit rule to opt2 interface and now traffic is flowing. I can ping opnsense up and wireguard server up from the client now.

I can also reach the internet through the tunnel. Thanks!!
July 19, 2019, 01:42:04 PM #7
Hooray!  8)
July 19, 2019, 06:00:28 PM #8
Thanks again for all your hard work on this and other plugins
July 20, 2019, 03:32:00 PM #9 Last Edit: July 20, 2019, 05:15:40 PM by csmall
Quote from: csmall on July 19, 2019, 06:00:28 PM
Thanks again for all your hard work on this and other plugins

It all of the sudden just stopped working. I can't understand why. I tried rebooting opnsense and the Android device. I haven't changed any settings other than adding another endpoint device. I will test that one in a few minutes and see if it works.

I also noticed that while I added the any any rules to the opt2 interface (wg0) and everything started flowing.. there is also now wireguard listed under firewall rules and it had no rule.. so I added an any any rule there just now and it didn't make a difference.

It worked all day yesterday and stopped sometime late last night
July 20, 2019, 03:38:52 PM #10
So I just confirmed that the second client I added still works. The first device is an android phone and it worked and then stopped. The second device is a laptop which is tethered to the Android device (without wireguard running of course) and it connects and traffic flows as expected.
So odd.
July 20, 2019, 06:25:15 PM #11
So, both are working or not?
July 20, 2019, 09:11:04 PM #12
July 20, 2019, 09:40:31 PM #13
Quote from: mimugmail on July 20, 2019, 09:11:04 PM
maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826

Switching the endpoints on the server to /32 seems to have resolved the issue! /32 actually makes more sense to me me and I never understood why all the articles I saw used /24.

I didn't change the client to /32 but I will try that anyway I guess because it just sounds right.

But thank you, your link seems to have solved the problem.
July 20, 2019, 10:11:28 PM #14
I'll recheck our docs tomorrow. Was also not aware of this. Glad it works now
Print
Go Up Pages1
User actions