WireGuard setup required reboot, Unbound available on WAN

[yearski]

I struggled to get WireGuard installed, configured and working. It was frustrating because the setup and configuration is so simple, there aren't many places to check for mistakes. I have OPNSense 20.7 on a Shuttle mini PC. I discovered two things that finally got  it working for me:

• I had to reboot the hardware. At first I couldn't get anything to work. After issuing `service wireguard restart` from a shell, I could finally connect a peer but that peer couldn't access any network. After spending way too much time reviewing the interfaces and firewall rules, I rebooted the OPNsense hardware and then everything just worked. I can't tell you what changed (nothing in my config changed here) and now that it's working, I can't reproduce the problem. So unfortunately, I can't offer anything useful to the devs except it might be worth adding a note in the guides.
• After the "networking" was functional, the remote peer could not access the native Unbound DNS server. My problem was that I had previously removed the WAN interface from the Unbound service network interfaces setting. Enabling Unbound DNS on WAN resolved this issue. In a way it makes sense that the remote peer is coming in through the WAN interface, I think I falsely assumed that the remote peer would appear to come in through wg0 interface I created (for which I had enabled for Unbound).

Hope that helps someone else. The setup is really quite simple and it works great. But geez, I spent a lot of befuddled time to get there. (When in doubt, reboot!)

[chemlud]

Most likely your routing tables needed the reboot?

Are you using site-to-site? I use for DNS (on remote-end clients) the IP of the OPNsense on the connected LAN interface net...

[mimugmail]

1. This was a misconfig on your side for sure. I set up WireGuard this week for a customer, no reboot required

2. In WireGuard client you can choose which dns to use. Best use LAN ip like in other thread posted. But you have to add an ACL in Unbound

[chemlud]

...But you have to add an ACL in Unbound

https://forum.opnsense.org/index.php?topic=20018.msg92561#msg92561

;-)

[JasonJoel]

Hope that helps someone else. The setup is really quite simple and it works great. But geez, I spent a lot of befuddled time to get there. (When in doubt, reboot!)

I had a heck of a time getting wireguard to work when I installed it yesterday. In my case I also had to reboot before DNS resolution would work (yes, I had an access rule added in Unbound for the network). Interestingly the network showed up in the default Unbound access rules after rebooting (was not in there before reboot), so I removed my custom access rule.

Out of curiosity, did you end up assigning the wg0 as an interface? I did, but not 100% sure I really had to. Still pretty new to opnsense, so fumbling my way through it.

[R4v3n]

I'm trying to get a working wireguard too, and got some kinds of same problems than OP.
Currently I can connect my android client to my opnsense wireguard server, I can ping all others LANs.
I tried to put my wireguard server IP as a DNS server (present in Unbound access list), and did the same with the LAN opnsense IP (both pingable).
In both cases, I'm not able to have a DNS resolution working on the android device. I can ping my LANs, I can ping the whole internet IPs, but no DNS resolution.

If  somebody have an idea ?

So currently for me, it's way faster to setup an OpenVPN service on OPNsense than wireguard.

[mimugmail]

Maybe it's just blocked by Firewall?

[R4v3n]

I though about it this morning, but my current firewall rule on the "wireguard" interface allows everything from the wireguard net.
Will check this again tonight.

[mimugmail]

Try the tunnel ip and not Wireguard net, also check the live log