WireGuard no internet

Started by norbo80, September 03, 2022, 03:21:04 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 03, 2022, 03:21:04 PM Last Edit: September 03, 2022, 03:46:54 PM by norbo80
Hello,

I have just set up VPN Wireguard and I can connect to my LAN, but then I lose connection to the internet, but I can ping fex. 8.8.8.8
As DNS Server i've got ADGuard installed on OPNsense
In FW LOG i can see something like that:

https://i.imgur.com/0xfytfk.png
September 04, 2022, 12:01:22 PM #1
I have a similar issue, let me know if you fix it.
September 04, 2022, 08:13:39 PM #2
is there a wireguard interface or an outbound nat rule?

See more details here in this guide:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
Deciso DEC850v2
October 20, 2022, 04:45:34 PM #3
Is configured as interface. I think I got similar configuration as  in this manual. DNS is on firewall itself. Adguard
October 20, 2022, 05:02:51 PM #4
Please show the servers and clients config, mask the keys but leave the first there characters to see if the keys are in the corect place.
i am not an expert... just trying to help...
October 20, 2022, 08:20:14 PM #5
Thank you for the help! Screenshots attached.
October 20, 2022, 08:21:58 PM #6
and some screenshots more
October 20, 2022, 08:22:22 PM #7
FW Rules:
October 21, 2022, 06:28:54 AM #8 Last Edit: October 21, 2022, 06:34:13 AM by tiermutter
The firewall rules... is this WG interface? The rules looks pretty weird...
1. The "WG allow internet" rule is last match, causing that "reject private networks" will be hit before
2. "allow S21" and "allow surface" rule´s source is a host IP, but you´re using /24 instead of /32 (but should not be the problem)
3. there are two DNS rules. Why? 192.168.10.1 is "this firewall" / the sense´s LAN IP, correct? Use the sense´s WG IP instead (192.168.20.1 I guess)

This are the rules for my WG (Roadwarrior) interface for reference:
i am not an expert... just trying to help...
October 21, 2022, 06:33:26 AM #9
For Windows client use allowed IPs / erlaubte IPs ) = 0.0.0.0/1, 128.0.0.0/1 as Windows don´t like to change the default route 0.0.0.0/0
i am not an expert... just trying to help...
October 21, 2022, 08:13:01 AM #10 Last Edit: October 21, 2022, 08:21:59 AM by norbo80
Quote from: tiermutter on October 21, 2022, 06:28:54 AM
The firewall rules... is this WG interface? The rules looks pretty weird...
1. The "WG allow internet" rule is last match, causing that "reject private networks" will be hit before
2. "allow S21" and "allow surface" rule´s source is a host IP, but you´re using /24 instead of /32 (but should not be the problem)
3. there are two DNS rules. Why? 192.168.10.1 is "this firewall" / the sense´s LAN IP, correct? Use the sense´s WG IP instead (192.168.20.1 I guess)

This are the rules for my WG (Roadwarrior) interface for reference:

1. This is intentional - I followed the manual on: https://www.youtube.com/watch?v=kYFNa_zpeII . It is explained in about 14''. It works in my config also in another interfaces. It is wrong configuration or only another way to block traffic between interfaces and allow internet?
2. Thank you, I corrected the IP Settings.
3. I corrected the rules. I used 192.168.10.1 because I'm ping the firewall I can see that 192.168.10.1 is blocked. (Screenshot attached)

Unfortunately it doesn't work, on SURFACE and SAMSUNG the same behavior. The VPN Connection works, ping to LAN devices works, but there is no interent.

Rules screenshot attached
October 21, 2022, 08:13:54 AM #11
Quote from: tiermutter on October 21, 2022, 06:33:26 AM
For Windows client use allowed IPs / erlaubte IPs ) = 0.0.0.0/1, 128.0.0.0/1 as Windows don´t like to change the default route 0.0.0.0/0
I tried  with 0.0.0.0/1, 128.0.0.0/1 Unfortunately it doesn't work, on SURFACE and SAMSUNG (Android) the same behavior.
October 21, 2022, 09:00:46 AM #12
QuoteIt is wrong configuration or only another way to block traffic between interfaces and allow internet?
No, it is not really wrong, but you are allowing all traffic explicity for the two configured WG clients and last match you´re allowing any traffic from any...?! Then, you allow DNS with the sense as destination, but this case is already covered with "allow S21/surface to any", so there are some obsolete rules.

QuoteThe VPN Connection works, ping to LAN devices works, but there is no interent.
Is it really traffic to internet that doesn´t work, or is it just DNS not working?

I suggest to clean up the FW rules, maybe start with one rule "allow WG to any" as you are doing nothing else with those rules for the only two clients that can be connected to WG interface. If you need to block something, place those block rules before "allow any", everything first match.
i am not an expert... just trying to help...
October 21, 2022, 10:30:49 AM #13
really to say it is only HOMELAB infrastructure, for short test I can do everything:)

One Question- in the manual i read in this manual https://homenetworkguy.com/how-to/configure-wireguard-opnsense/ , that if I create an wg interface - I don't have to create NAT Port forwarding, iand I dont have to config IPc4 in interface settings. It is right?
October 21, 2022, 10:45:07 AM #14
Quote

I suggest to clean up the FW rules, maybe start with one rule "allow WG to any" as you are doing nothing else with those rules for the only two clients that can be connected to WG interface. If you need to block something, place those block rules before "allow any", everything first match.
I've created this rule and deactivated any else. Now I receive may DNS and ICMP blocks.

Another strange behavior - In firewall I can see many block, but if I set the filter fo Wireguard I can't see the blocks anymore. Maybe there is something with my Interface?
Print
Go Up Pages1 2
User actions