[SOLVED] simple WireGuard setup - it's just not working

[tessus]

SOLVED: solution and configuration

I'm sorry to bring this up again, but all the articles I found on the Internet and posts here on the forum did not help solve my problem.

I'm not a network noob and I do understand how WG works, but for some reason I can't make the simplest setup work. I am new to OPNsense though.

Please note that I do no want to route all traffic through the WG network. Thus telling me to assign a WG interface is not what I want nor need according to all posts I found. (Unless all articles and the documentation are wrong that is.) Assigning an interface and creating an outboung NAT rule is ONLY necessary in case I want to use the WG network to access the Internet. I don't.

I only want to access hosts on 192.168.0.0/16. Yet, this very simple setup does not work. I followed all documentation and common sense, yet the client can't connect.

Do I have to reboot the firewall machine? Seems off, since starting/stopping a service should be sufficient.

Can someone please explaiin to me why this does not work, even though I followed the documentation to the letter?

Here is my setup (don't worry about the keys, they match accordingly):

Internal LAN IP of firewall: 192.168.0.1/20
External IP WAN: a.b.c.d



Server (OPNsense):

VPN: WireGuard > Local:

Listen: 51820
Tunnel address: 10.10.10.1/24
DNS: 192.168.0.5
Peers: client1

VPN: WireGuard > Endpoints:

Name: client1
Allowed IPs: 10.10.10.3/32



Client:

Addresses: 10.10.10.3/32
DNS: 192.168.0.5
Allowed IPs: 192.168.0.0/16, 10.10.10.1/32
Endpoint: a.b.c.d:51820



NAT and Rules (OPNsense):

Firewall: NAT: Port Forward

Interface: WAN
Proto: UDP
Source: any
Ports: any
Destination: WAN address   
Destination Port: 51820
Redirect IP: 192.168.0.1
Redirect Port: 51820   

Firewall: Rules: WireGuard

Protocol: IPv4
Source: 10.10.10.3/32
Port: any
Destination: any
Destination Port: any

[Greelan]

On the client, the addresses should be 10.10.10.3/24. Edit: actually, you can probably leave this as /32 if the client is simply connecting to the server.

And you don't need a port forward, just a rule on the WAN interface allowing in traffic to the WAN address on port 51820 (although your port forward should achieve the same if the filter rule association is enabled).

And yes, in this setup you don't need an interface defined.

[rman50]

I setup a similar configuration (local subnet access only) recently as well and there were a few other steps required to get it working for me:

- Name the Wireguard interface under Interface->Assignments so it shows up under Firewall->Rules. The interface was already there but didn't have a name assigned.
- Under Firewall->Rules->"Name created above" create a rule to allow your VPN client(s) to access your local subnet.

In my case without doing this, OPNSense was dropping the packets coming in from the Wireguard tunnel. I didn't use a port forward either. I just created an inbound WAN rule to allow the Wireguard port.

[tessus]

Thanks for your answers. I think we are getting closer.

If creating an assigment is required, the documentation is wrong and should be updated accordingly (wink, wink, dear OPNsense devs).

What IP do I give the new WGUARD (I called it that since all posts mention NOT to use the name WireGuard) interface? Do I give it the same IP as the Tunnel address (10.10.10.1/24)?

It's also interesting that neither of you created a NAT port forwarding rule, since this was also specifically mentioned in the documentation.

[tessus]

Thank you!!!

After a bit of trial and error, I've been able to get it working.

Here's what I did:

- Interfaces > Assignments: Added a new interface WG0 with IP address of Tunnel address: 10.10.10.1/24
- removed the inbound NAT rule
- moved my previous rule from WireGuard to WG0
- created a new WAN rule to allow UDP from all to WAN address on port 51820

I'll post the working config in a bit.

[tessus]

The documentation is wrong, so are all articles that are out there.

- Assigning an interface is required. (The information such an interface is only necessary for using the WG connection to access the Internet is wrong.)
- The NAT rule is not required. Opening the WG port on WAN is sufficient.

Here is the configuration that worked:

Internal LAN IP of firewall: 192.168.0.1/20
External IP WAN: a.b.c.d



Server (OPNsense):

VPN: WireGuard > Local:

Listen: 51820
Tunnel address: 10.10.10.1/24
DNS: 192.168.0.5
Peers: client1

VPN: WireGuard > Endpoints:

Name: client1
Allowed IPs: 10.10.10.3/32



Client:

Addresses: 10.10.10.3/32
DNS: 192.168.0.5
Allowed IPs: 192.168.0.0/16, 10.10.10.1/32
Endpoint: a.b.c.d:51820



Interfaces:

Interfaces > Assignments

Name: WG0
Device: wg0
IPv4 address: 10.10.10.1/24 (tunnel address)



Rules (OPNsense):

Firewall: Rules: WAN

Interface: WAN
Proto: UDP
Source: any
Ports: any
Destination: WAN address   
Destination Port: 51820

Firewall: Rules: WG0

Interface: WG0 (interface that was created earlier)
Protocol: IPv4
Source: 10.10.10.3/32
Port: any
Destination: any
Destination Port: any

[Greelan]

No, the documentation is not wrong. You don't need an interface in a road warrior setup. I've run it for months without it. Firewall rules can just be placed on the default "WireGuard" group (but don't use the "WireGuard net" alias for source IPs, it doesn't work reliably - define your own alias if needed). I think your port forward was the issue.

If you do assign an interface, no need to give it an IP, it is automatically given the IP of the tunnel as defined in WireGuard. The only advantage of defining an interface is that you then automatically get a "net" alias that can be used in firewall rules.

[tessus]

If you do assign an interface, no need to give it an IP, it is automatically given the IP of the tunnel as defined in WireGuard.

I had to assign an IP. I did not assign one at first and I could not connect to any of the machines in my network.
After I assigned one, all was good.

You wouldn't believe how many combinations I tried. I also removed the inbound NAT rule in my previous tests, but it did not help. But it should not matter, since wg listens on all interfaces thus this redirect rule is valid. But it's very interesting that it's not needed, since the documentation explicitly mentions it.
So I'm sorry that I have to disagree. The documentation is not correct.

Since you did not post your exact config it is impossible to verify your claims. (No matter, my setup works now and I don't really care.) Either way, in my setup it only started to work when I followed @rman50's advice.

[Greelan]

Since you did not post your exact config it is impossible to verify your claims. (No matter, my setup works now and I don't really care.) Either way, in my setup it only started to work when I followed @rman50's advice.

Great that it is working for you, but why would you assume that while trying to help you I would just make stuff up?

I can post screenshots, but given you don't care, why should I bother? The only reason I would do so is to ensure that others that happen on to this thread don't get led astray.

I bet after adding your interface without defining IPs that you didn't stop and start WG, right? Without doing that, yes IPs aren't assigned. But once you do stop and start WG, the IPs are there.

[rman50]

For me, I didn't assign an IP to the wg0 interface but I had to give it a name. Otherwise there was no way I could figure out how to complete this step in the road warrior documentation: "Then create a firewall rule via Firewall ‣ Rules ‣ WireGuard (click +Add in the top right), with the following information (if an item is not specified, leave it set to the default value)". There was no default Wireguard group for me until I assigned the name. I followed the documentation up until this step and then had to adjust to get it to work.

[Greelan]

The WireGuard group is created as soon as a wgX device is created and WireGuard enabled

[tessus]

why would you assume that while trying to help you I would just make stuff up?

No, I'm sorry. I was too imprecise in my writing. No, this was not at all what I meant. I rather meant that I can't verify that you are using the same setup. Your environment could be very different. So it's kind of hard to correlate your info with mine.

I bet after adding your interface without defining IPs that you didn't stop and start WG, right? Without doing that, yes IPs aren't assigned. But once you do stop and start WG, the IPs are there.

This is a very good question. I did restart the service, I just don't recall at which step. It makes sense that the IP would be auto-assigned, since the IP has been set at the wg0 adapter level during the WG setup already. It also makes less of a mess when using more than on wg adapter to not have to set it explicitly.

[mkd73]

i have tried all of those settings, NO LAN2LAN. Nothing works, i think wireguard is not mature ebough. OpenVPN and IPSec TOP. I have enaogh from Wireguard! Only testing and hoping that is working.