Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Wireguard road warrior (followed default guide) - all work but cant ping clients
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Wireguard road warrior (followed default guide) - all work but cant ping clients (Read 6434 times)
allebone
Sr. Member
Posts: 402
Karma: 34
Wireguard road warrior (followed default guide) - all work but cant ping clients
«
on:
November 29, 2021, 05:07:31 pm »
Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?
«
Last Edit: November 29, 2021, 05:10:56 pm by allebone
»
Logged
Steve79
Newbie
Posts: 8
Karma: 1
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #1 on:
November 30, 2021, 12:04:04 pm »
Hey,
i have a road warrior setup and can ping my clients, depending on which source net i ping from. I would say, you need to provide more information on your specific setup and where you want to ping your clients from, e.g. ping from opnsense fails or LAN net, did you setup the optional NAT from the guide, what firewall rules in and out WG and so on. The guide does not cover all, its more of point to start with in my opinion, even the proposed outgoing rule makes no choice of the destination:
Code:
[Select]
Specify the IPs that client peers should be able to access, eg “any” or specific IPs/subnets
Can you provide more information?
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #2 on:
November 30, 2021, 12:29:28 pm »
I think it likely comes down to the Allowed IPs in the config on the client. I can also ping fine from local IPs that are within the Allowed IPs - I wouldn’t expect otherwise, as WG on the client should drop packets from sources that are not in Allowed IPs
Alternatively, it is a firewall issue on OPNsense, ie rules aren’t in place to allow the pings
The outbound NAT rule won’t affect this
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #3 on:
November 30, 2021, 02:12:46 pm »
Ok thank you for replying. Its appreciated you took the time to think about it.
With regards to my setup it is as follows. However at this exact moment its a little different as last night I did a load of testing (all made no difference) where I tired adding gateways, disabling automatic routes, adding manual routes, trying different things on outbound nat, removing interfaces adding interfaces etc. However seems like there is zero difference regardless what I do.
When you follow the opnsesne wireguard roadwarrior guide you end up with the auto generated wireguard interface and another one you make that if you look in interfaces - overview has the IP address you set under local- tunnel address.
So for example my LAN is 192.168.2.0/24 and the local tunnel address of WG interface is 192.168.200.1/24.
A client connects and is assigned an IP like 192.168.200.10/32 (ie by wireguard config).
So what is working? So basically everything important. The firewall itself can ping the 192.168.200.10 and the client on 192.168.200.10 can access any lan device and ping any lan device or the firewall on both 192.168.200.x range and 192.168.2.x range (so LAN and WG ranges work from the connecting roadwarrior side essentially).
However the LAN clients cant ping a wg ip. So for example if I am on a pc with 192.168.2.12 as its IP behind the firewall I cant ping 192.168.200.1 (the firewalls wg IP). I also cant ping 192.168.200.10 (A clients IP over the wg tunnel). I believe services cant be accessed either (eg I cant telnet to 192.168.100.10 on port 80).
So the traffic from LAN - a wireguard IP does not work. Im not sure if this is by design or not. Is it possible you are not allowed to try ping these IP's as they are exclusively for only clients on the WG tunnel? I assumed the firewall could or would know how to route a packet around its own interfaces to be able to reply to a ping but maybe I am wrong. I am using the kernel version of WG if that makes a difference. It could be I am expecting something that is not really designed to work.
P
«
Last Edit: November 30, 2021, 02:16:14 pm by allebone
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #4 on:
November 30, 2021, 08:18:38 pm »
Post details of your WG configs and firewall rules. As two of us have said, we can access WG clients, so there is no design stopping that and something with your setup is preventing it. You need to provide that information in order to troubleshoot
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #5 on:
November 30, 2021, 09:15:27 pm »
OK!
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #6 on:
November 30, 2021, 09:16:33 pm »
And realize some rules are not needed - I was testing as it does not work.
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #7 on:
November 30, 2021, 09:19:02 pm »
From Opnsense no issue pinging the wg clients or itself. Also the WG clients can access anything and ping anything. I didnt bother getting a ss of that.
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #8 on:
November 30, 2021, 09:20:41 pm »
For clarification:
192.168.2.0/24 - internal LAN
192.168.200.0/24 - Wireguard IP Range.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #9 on:
November 30, 2021, 09:32:02 pm »
And the WG configs on the clients?
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #10 on:
November 30, 2021, 09:47:29 pm »
Most are on the road but I have my phone here:
The allowed ips are:
192.168.200.0/24, 192.168.2.0/24, 0.0.0.0/0
Have to do 1 ss at a time. I have one more to post after.
P
«
Last Edit: November 30, 2021, 09:49:09 pm by allebone
»
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #11 on:
November 30, 2021, 09:48:25 pm »
Sorry if I made the previous one too small. I can post again if need be.
Here is second.
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #12 on:
November 30, 2021, 10:08:51 pm »
Im really sorry I found my issue. I wish I could delete this post. I found a firewall rule that was blocking it that was created in a semi dynamic way. I have multiple vlans and had created a rule to prevent communication between vlans a while back and it was blocking the traffic. Once I saw this and added an allow rule above it for the WG network it started working fine. Sorry man I dont think I can delete threads but I would as its been a waste of time for you.
Hope its not a big deal.
Pete
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #13 on:
November 30, 2021, 10:12:11 pm »
What’s the fourth screenshot (“FW Rule”)? And what rules do you have on LAN?
BTW, the Allowed IPs on the iPhone is a bit redundant. If you are sending all traffic down the tunnel you don’t need the specific subnets. If you only want the specific subnets, remove 0.0.0.0/0
Edit: lol, just saw your latest post. Yep, that would do it! Hence my original point about FW rules
«
Last Edit: November 30, 2021, 10:14:23 pm by Greelan
»
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Wireguard road warrior (followed default guide) - all work but cant ping clients
«
Reply #14 on:
November 30, 2021, 10:25:52 pm »
Actually one thing I noticed if I dont add the specific subnets is if I happen to go to a network (eg: coffee shop) that has the same range as my home (192.168.2.0/24 is common unfortunately) then I cant get back to my home network. The 0.0.0.0 is so all traffic is sent down the tunnel.
Luckily if you add the 2 routes they get a lower metric (higher priority) (eg adding 192.168.2.x and 192.168.200.x on the iphone allowed ips) and so long as the firewall or gateway at the coffee shop is not 192.168.2.2 (my opnsense firewall IP on the LAN) then I can still connect back home despite the network overlapping.
Thanks anyway for your help.
Pete
«
Last Edit: November 30, 2021, 10:30:41 pm by allebone
»
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Wireguard road warrior (followed default guide) - all work but cant ping clients