remote access mode for Wireguard

Started by md0, April 05, 2021, 11:15:56 AM

Previous topic - Next topic
Hello,

I'm trying to establish a Wireguard tunnel from a Opnsense machine behind a 4G connection that does not allow to expose ports to the Internet. Therefore, I need to trigger the connection to the remote machine using a random port (dynamic endpoint mode) - however, the GUI does not allow me to save the local configuration without a listening port.  Is there any way to force Wireguard into initiating a "client" connection with a remote endpoint?

Thank you!

April 05, 2021, 11:47:23 AM #1 Last Edit: April 05, 2021, 11:51:42 AM by Greelan
Just enter a port even if it won't be used (eg 51820, 51821 ...). Not used at least for connections initiated from the outside.

I'm not sure that I understand how this is supposed to work - The remote server will never initiate a connection from the outside, as its peer has no IP address or port. This means that I'll have to start the tunnel from the local machine. How can this happen if Wireguard acts as a server and expects incoming connections on whatever port I declare for the local configuration?

Can I somehow force Wireguard to initiate the tunnel from the local machine?

Thanks

Yes, of course, by specifying the IP/domain and port of the endpoint in its configuration :)

Just because you (have to) specify a port in the Local config doesn't mean that OPNsense will act as a "server". If the remote machine doesn't specify the OPNsense IP and port as an endpoint, then it will never initiate a connection to it. OPNsense will always be the one initiating

I undertand, though I find the logic a bit confusing - in my particular scenario only one machine can initiate the tunnel. But If I were to have a public IP address, expose whatever port I declared as local to the Internet and expose that info to the remote machine, wouldn''t then both be trying to initiate connections at the same time?

Anyway, I do have the default port entered, and everything is set correctly (IP address/port, keys), yet the tunnel won't come up. Can I find somwhere a log of what Wireguard is actually doing?

Have you read the docs? Particularly https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

You are probably missing an outbound NAT rule

I do have the outbound NAT rule defined, but at this point I would be content  if I could get the other endpoint's address to respond to ping. It's hard to understand what's going on without any logs or feedback from the system.

WG has very little in the way of logging - hence the short codebase lol

Sometimes restarting WG can help

Otherwise post screenshots of your config (local, endpoint, NAT), masking private keys etc

Success!

I've managed to get the tunnel up and running by adding a keepalive interval for the remote endpoint.
I don't understand why this is happening, maybe some more experienced can explain this to me...

Anyway, thank you Greelan for your input!