Wireguard Broken after Successful Upgrade

[Schubbie]

Is this enough information?

[chemlud]

Local Config: Tunnel IP 10.10.11.1/24

Remote Config: "erlaubte IPs" does not include 10.10.11.1/32

Can't check if your Alias for the WAN port is correct (50315)

Set your WAN rule to logging / do a package capture and look if any packages arrive at your WAN...

[Schubbie]

Local Config: Tunnel IP changed

Remote Config: "erlaubte IPs" added, but this should not necessary

Alias is correct

I can´t see any packets that belongs to Wireguard.

Wireguard is listen but i can´t get a handshake :-(

It ran straight away when it was set up a few months ago, but now it no longer works ...

[chemlud]

If nothing reaches the sense, the problem must be on the client or ISP-side, I guess...

You do a package capture on the sense for WAN interface port 50315?

[Schubbie]

I've tried it with Windows and Android Client.
My VM on a Synology NAS works. I've copied the Client Configuration and changed Keys, iP and Port.
Yes, find no traffic on Port 50315.
I've tried IP 192.168.153.1:50315 and 10.10.11.1:50315 instead FQDN:50315 from my Network.

[chemlud]

You try from LAN side? Not from mobile network?

Your "Endpunkt" in the client config is the domain name from your dynDNS provider for the WAN IP, correct? And it's updated and a public IP?

If nothing reaches the WAN port, it should not be a problem with the generate keys (don't modify them manually, only the automatically generated key pairs will work).

[Schubbie]

I've tried from Mobile and LAN.

Yes, the Endpoint is my DynDNS, I've set an internal forwarding, so the Traffic should not leave the Sense, if the client is in my Network to avoid loops.

I've reconfigured an reinstalled it several times, but it runs only the first time still to the Update a few months before.

[Schubbie]

Hello,
I haven't had time for further tests, but I just discovered the widget on the dashboard. Shouldn't something be shown in the widget? The instances in Wireguard are active.
It looks like my assumption is confirmed by the fact that Wireguard is not taking over the settings, right?

[Greelan]

Couple of comments:

It looks like you have put the same public key in both the local config and the endpoint config on OPNsense? And the same key is in the local and endpoint configs on the client? The client public key needs to go in the endpoint on OPNsense, and the OPNsense public key in the endpoint on the client.

On the client, specify the local tunnel IP as 10.10.11.4/24 so that it is part of the same subnet.

[Schubbie]

Hello,
yes, ich checked the Keys several Times and have it configured several times.
I had given the Client the /24 IP and tried other IP-Ranges on both Sides.
But shouldn't shown something in the widget of the Dashboard even if no client is connected. In the Dashboard it seems like the service doesn't starts?

[Greelan]

My point was that the key setup shown in your screenshots looks wrong and won’t work

As for the widget, yes you should see entries for enabled interfaces/endpoints - assuming they are properly configured. I suspect the fact that the key entries are wrong means that WG is refusing to enable them. But the widget is a distraction - better to focus on getting the configuration on OPNsense and the client right