please help on wireguard

[hlyi]

Hi,

New to opnsense firewall. I followed the instruction below to install WireGuard.
https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_for_Road_Warrior_configuration#Prepare_OPNsense_for_Wireguard_VPN

The link seems to be established, but client could not access any host at server side.

• under VPN/Wireguard/List configuration/peer, both the transfer and received bytes keep increasing while ping was send from client to VPN. It seems wireguard interface itself works as expected
  
• Wireshark (on client side) shows UDP packet was sent to opnsense, but opnsense didn't return any packet. (client saw 100% packet loss)

It seems that opnsense blocked wireguard return packets. How to debug this issue (new to freebsd, have iptables experience from linux)?

Thanks a lot!

[Mks]

Try this one:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

The point "Add the WireGuard Interface" was not necessary in my case, cause it was created automatically.

br

[hlyi]

Thanks @Mks. I followed the guideline you provided. I still saw the same problem. Client didn't see return packet

[Mks]

Hi,

please double check:

• Outbound NAT Rule
• Firewall Rules to Access Internal Networks/Devices
• Look at the firewall log (Filter to Wireguard Interface)

br

[hlyi]

The outbound NAT rule matches guideline.

Firewall rule on Wireguard interface is passing all traffic.

Firewall log didn't show traffic on wireguard interface. The only one related to wireguard is an incoming UDP packet on WAN when the client initiated the connection. peer interface under List Configuration of VPN:WireGuard did show increased transfer and received bytes

Thanks!

[Walnut]

Same issue here. Similar/same behavior. Traffic seems to be getting to/from wg client but no handshake?

Where does wg put its logs?

All help appreciated!

[Vlijm]

@hlyi

I had the same problem, but my setup is working now.

OPNsense: 192.168.1.1
WireGuard Local: Tunnel Address 192.168.0.1/24
WireGuard Endpoint1: Allowed IPs 192.168.0.2/32

Firewall > Rules > WAN > Add a rule with protocol UDP, Destination port range 'other' 51820
Firewall > NAT > Outbound > Set to Hybrid > Add a rule: Interface WAN, Source address WireGuard net, Translation / target WAN address
Firewall > Rules > WireGuard > Add a rule: Source = Single host or network > 192.168.0.0/24

I restarted WireGuard service and then it worked.

Hope this helps.

[hlyi]

@Vlijm,

Thanks for sharing your setup. I got it working too by starting from scratch and following https://homenetworkguy.com/how-to/configure-wireguard-opnsense/ step by step instead of the original instruction I posted.

[_jo_ku]

I've the same problem using "OPNsense 21.1.4-amd64" with "os-wireguard v1.5".

I can establish a working connection to wireguard with ease when connecting via LAN but not via WAN coming from the internet (tested with muliple devices). I see the connection initialisation package from the remote client on my WAN Interface when capturing packages. I see something happening on server-side, but internet-clients do not recieve a single package in response and thus there is no handshake - also no traffic on the wireguard interface. I triple-checked the inbound rule on the WAN-interface with the port in use, but I don't find the issue. Debug/logging capabilities on wireguard are somewhere between bad and non-existent.

Has anyone found the root cause of this problem? I don't want to start from scratch without indication to succeed.

EDIT: Problem solved. Outbound traffic was routed through wrong/different WAN interface and couldn't reach target.