WireGuard - adding peer with 0.0.0.0/0 causes loss of WAN

sos_opnsense · March 20, 2021, 05:52:12 AM

I have wireguard set up with a local server (10.1.1.1, DNS 1.1.1.1, port 51820). Pretty standard stuff.

When I added a peer with an allowed IP of '0.0.0.0/0', saved and re-enabled the local wg server, I lost all WAN access across the LAN and firewall itself. In other words, the opnSense router could no longer ping out e.g. 1.1.1.1 times out.

As soon as I remove the peer from the WireGuard server's list of peers, or change the allowed IP to "10.1.1.0/24" and restart wg-0, WAN comes back up.

Bizarre.

Greelan · March 20, 2021, 07:06:06 AM

Why is it bizarre? You are routing everything down the tunnel

sos_opnsense · March 20, 2021, 07:42:39 AM

No, I'm not connecting to or through the wg tunnel, merely adding a remote peer with a 0.0.0.0/0 available IP to the list of potential wg peers using the web GUI.

I'm not even connecting or activating the tunnel or trying to access WAN through the peer, and yet it's taking out the firewall's access to WAN. As soon as I hit 'save' localhost OPNsense can't ping any WAN address from shell.

stefanpf · March 20, 2021, 08:47:58 AM

The routes are added immediately after activating the Wireguard service.
This seems to be logical, since a request must also trigger a connection startup.

But at least with my setup:
- If Wireguard is disabled, no routes are added.
- If a peer is disabled, no routes are added for that peer

sos_opnsense · March 20, 2021, 10:17:34 AM

Thanks for your replies.

I'll do some more learning so I can try to understand why this is happening when the same values didn't take out my other similar BSD-based firewall running wireguard in an equivalent way.

mimugmail · March 20, 2021, 12:05:11 PM

On the Server side when you add endpoint, only enter the remote Tunnel IP with /32 there. On endpoint itself you can add 0.0.0.0/0 as allowed ip

Aerowinder · March 25, 2021, 12:12:37 PM

Quote from: mimugmail on March 20, 2021, 12:05:11 PM
On the Server side when you add endpoint, only enter the remote Tunnel IP with /32 there. On endpoint itself you can add 0.0.0.0/0 as allowed ip

I found this to be super unintuitive with WireGuard. This exact thing caught me at first, too. When shown the correct way to set the configuration, it makes sense. To make things worse, there's a ton of misinformation out there.

sos_opnsense · March 25, 2021, 09:49:28 PM

Quote from: Aerowinder on March 25, 2021, 12:12:37 PM
To make things worse, there's a ton of misinformation out there.

Yep, and I think the OPNsense guide for WireGuard has more recently been edited to make the distinction between /24 and /32 endpoints clearer, for example.

Anyway, all up and running now, thanks all.

WireGuard - adding peer with 0.0.0.0/0 causes loss of WAN

sos_opnsense

March 20, 2021, 05:52:12 AM Last Edit: March 20, 2021, 06:14:52 AM by sos_opnsense

Greelan

March 20, 2021, 07:06:06 AM #1

sos_opnsense

March 20, 2021, 07:42:39 AM #2 Last Edit: March 20, 2021, 07:46:23 AM by sos_opnsense

stefanpf

March 20, 2021, 08:47:58 AM #3

sos_opnsense

March 20, 2021, 10:17:34 AM #4

mimugmail

March 20, 2021, 12:05:11 PM #5

Aerowinder

March 25, 2021, 12:12:37 PM #6

sos_opnsense

March 25, 2021, 09:49:28 PM #7