Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard stop the endless suffering
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard stop the endless suffering (Read 3269 times)
C0ldkut
Newbie
Posts: 9
Karma: 0
Wireguard stop the endless suffering
«
on:
March 22, 2022, 10:44:47 pm »
Hi all.
I am desperately trying to set up Wireguard. I read all the documentations, seen all the YT, did like 4 setups. Still I fail to set it up and I refuse to accept it.
What I did to troubleshoot:
Public keys are correct.
Peers are enabeld on local.
Allowed IPs on client is 0.0.0.0/0
Interface is configured on wg01 as WIRE.
Port is set to 5552 and called as VPN_PORT.
NAT outbound as on Screenshoot 1.
Firewall rules as on Screenshot 2.
Peer config on Screenshot 3.
Local config on screenshot 4.
I configured further unbound DNS: DNS over TLS
AL on unbound shows my WG network IP 10.0.0.1/24
Please help. I want to make it work.
Btw.: Be nice I am new to opnsense and firewall at all and I am not an IT. Thanks. ;-)
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard stop the endless suffering
«
Reply #1 on:
March 23, 2022, 09:39:03 am »
Looks like you are missing firewall rules on your WIRE interface.
Did you look at this how-to?
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #2 on:
March 23, 2022, 09:28:41 pm »
Thanks for reply. Yes I followed it point by point.
I forgot to post the Rule on "WIRE" (wg0). See attached.
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #3 on:
March 23, 2022, 09:29:49 pm »
WIRE Rule.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard stop the endless suffering
«
Reply #4 on:
March 23, 2022, 09:32:40 pm »
You're only allowing UDP traffic on that rule.
So in fact didn't follow the how-to point by point
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #5 on:
March 23, 2022, 09:35:56 pm »
Ok, maybe I followed to often then. I corrected that. Still no Handshake.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard stop the endless suffering
«
Reply #6 on:
March 23, 2022, 09:42:17 pm »
I'd suggest going over it again to check for any other mistakes
Also you haven't posted configs on the endpoints themselves - the problem could be there
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #7 on:
March 23, 2022, 09:48:23 pm »
The thing is really I read all of it too often. Sucks somehow, since it appears to be reallly easy. What the hell.
Attached the peers screenshot. (G20)
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard stop the endless suffering
«
Reply #8 on:
March 24, 2022, 07:53:21 am »
Have you applied changes for the firewall rules and alias? The screenshot of the WIRE rule showed unapplied changes
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #9 on:
March 24, 2022, 08:44:53 pm »
Thanks for the hint. I applied right after. Still stuck.
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #10 on:
March 29, 2022, 09:02:16 pm »
Still I am stuck. Anyone any ideas, where to look? Is it usual, that the defined tunnelport ist not visible through a port checker? Thanks for you help!
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Wireguard stop the endless suffering
«
Reply #11 on:
March 30, 2022, 09:21:03 am »
Re-check that the CORRECT public/private keys are in place on BOTH sides...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #12 on:
April 02, 2022, 11:50:22 pm »
So for anyone interested: I works now.
What I did:
I implemented a Rule under Floating and deleted the one on the WAN Interface.
What I still wonder: I really followed the manual, but what worked was this:
https://www.youtube.com/watch?v=gNyIACWc60w
Anyway: Thank you all for taking time!
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard stop the endless suffering
«
Reply #13 on:
April 03, 2022, 12:54:01 am »
Couple of comments. Since that video was made the OPNsense WG docs for road warrior and selective routing setups have been re-written and so are no longer "misleading" - they work. Also, I see no reason why a floating rule applying to WAN would work any differently to an equivalent rule on WAN, unless the user has another block rule that applies in priority to the WAN rule but after the the floating rule - in which case it is the user's config that is the issue
Logged
C0ldkut
Newbie
Posts: 9
Karma: 0
Re: Wireguard stop the endless suffering
«
Reply #14 on:
April 03, 2022, 10:22:14 pm »
Thanks for your comments.. Eversince it was clear, that I messed up with some config and I didn't want to blame the documentation, but thought I found a workaround.
The mistake was not the floating/WAN. It was indeed a conflicting NAT Portforwarding Rule. I configured as described in the documentation, fixed the conflicting port forwarding rules and now everything works.
Nevertheless I hope that - since I have searched and searched it might point others to a working VPN setup. RTFM.
I think we can close.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard stop the endless suffering