WireGuard - adding peer with 0.0.0.0/0 causes loss of WAN

[sos_opnsense]

I have wireguard set up with a local server (10.1.1.1, DNS 1.1.1.1, port 51820). Pretty standard stuff.

When I added a peer with an allowed IP of '0.0.0.0/0', saved and re-enabled the local wg server, I lost all WAN access across the LAN and firewall itself. In other words, the opnSense router could no longer ping out e.g. 1.1.1.1 times out.

As soon as I remove the peer from the WireGuard server's list of peers, or change the allowed IP to "10.1.1.0/24" and restart wg-0, WAN comes back up.

Bizarre.

[Greelan]

Why is it bizarre? You are routing everything down the tunnel

[sos_opnsense]

No, I'm not connecting to or through the wg tunnel, merely adding a remote peer with a 0.0.0.0/0 available IP to the list of potential wg peers using the web GUI.

I'm not even connecting or activating the tunnel or trying to access WAN through the peer, and yet it's taking out the firewall's access to WAN. As soon as I hit 'save' localhost OPNsense can't ping any WAN address from shell.

[stefanpf]

The routes are added immediately after activating the Wireguard service.
This seems to be logical, since a request must also trigger a connection startup.

But at least with my setup:
- If Wireguard is disabled, no routes are added.
- If a peer is disabled, no routes are added for that peer

[sos_opnsense]

Thanks for your replies.

I'll do some more learning so I can try to understand why this is happening when the same values didn't take out my other similar BSD-based firewall running wireguard in an equivalent way.

[mimugmail]

On the Server side when you add endpoint, only enter the remote Tunnel IP with /32 there. On endpoint itself you can add 0.0.0.0/0 as allowed ip

[Aerowinder]

On the Server side when you add endpoint, only enter the remote Tunnel IP with /32 there. On endpoint itself you can add 0.0.0.0/0 as allowed ip

I found this to be super unintuitive with WireGuard. This exact thing caught me at first, too. When shown the correct way to set the configuration, it makes sense. To make things worse, there's a ton of misinformation out there.

[sos_opnsense]

To make things worse, there's a ton of misinformation out there.

Yep, and I think the OPNsense guide for WireGuard has more recently been edited to make the distinction between /24 and /32 endpoints clearer, for example.

Anyway, all up and running now, thanks all.