Can't access LAN from WireGuard VPN client

[guest36829]

Hi, I've been going through the process of trying to setup a wireguard tunnel so I can access my local network resources from outside my network, i've been trying to use wireguard for this.

While I am able to connect to it and use the internet in it and connect to my opnsense on 10.0.0.1, I'm not able to access any of my local network resources.

This is how I currently have it set up:

OPT1 interface (wireguard) on 10.0.1.1/24

Wireguard client on 10.0.1.2/32

LAN subnet on 10.0.0.1/24

I have added a rule to allow OPT1 to access all, and while looking at my logs for the firewall it DOES seem to let the wireguard client send requests to my LAN, nothing ever seems to be returned from the LAN, and I have no idea why.

What i'm trying to access is my media server on 10.0.0.30:8096, but this doesn't work, it sends the request but nothing ever comes back after it's let through the firewall.

I've been struggling with this for a few days now, is there something i've been missing? I've gone through MULTIPLE different tutorials and they just seem to be able to get LAN access straight away.

[Demusman]

Post wireguard config and firewall rules on both interfaces.

[guest36829]

Here is the wireguard config: https://i.imgur.com/AL1u80w.png

Endpoint: https://i.imgur.com/UZL49uU.png

Client: https://i.imgur.com/0T2RSnb.jpg

OPT1 rules: https://i.imgur.com/WD8U5Mv.png

LAN rules: https://i.imgur.com/ZTokTzw.png

[Demusman]

Your DNS rule isn't doing anything. Move it above the any any rules.

Change the peer interface address to a /24. The /32 goes in the allowed IP filed but you're doing a full tunnel so it won't be needed.
Change the allowed IP's to 0.0.0.0/0

[guest36829]

I've done that but still no luck, no access to my LAN at all.

LAN rules: https://i.imgur.com/aNjDHnZ.png

Client: https://i.imgur.com/BXYnAEg.png

[cookiemonster]

You could try this guide https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

[guest36829]

I did already try everything in this guide, this was one of the ones I looked at to try and get it setup.

[Demusman]

Post your actual config, not snipped pictures of it. Help us help you!

Did you check the routes?
Did you try a packet capture?
Is this only 1 client?

[guest36829]

Not sure how I should actually post the config, especially with regards to security....

I did try a trace route but there it simply can't even find 10.0.1.2 from my LAN or if you mean the actual routes, it seems to be set up correctly? https://i.imgur.com/9yOhoah.png

I did a packet capture and it just tries to keep sending the requests to 10.0.0.30 (the lan client i'm trying to connect to) and a bunch of ARP request to it, but with no response, so I suppose it's not even entering the LAN https://i.imgur.com/7aix65o.png

keep in mind when viewing the log files in the firewall live view it does seem to pass these and lets them through: https://i.imgur.com/7tZqmSd.png

and yes, it's only one client i'm trying to test this with at the moment.

[Patrick M. Hausen]

Just remove the private keys and you are safe posting the configuration.

[guest36829]

Here is my wireguard config:

Code: [Select]

    <wireguard>
      <server version="0.0.4">
        <servers>
          <server uuid="4b5cee75-577f-4f41-8e26-d688f98ccd16">
            <enabled>1</enabled>
            <name>wg1</name>
            <instance>1</instance>
            <pubkey>[REDACTED]</pubkey>
            <privkey>[REDACTED]</privkey>
            <port>51820</port>
            <mtu/>
            <dns>10.0.0.30</dns>
            <tunneladdress>10.0.1.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>5826191e-13b1-4d53-8540-58b00c2c78d5</peers>
          </server>
        </servers>
      </server>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <client version="0.0.7">
        <clients>
          <client uuid="5826191e-13b1-4d53-8540-58b00c2c78d5">
            <enabled>1</enabled>
            <name>iOS01</name>
            <pubkey>[REDACTED]</pubkey>
            <psk/>
            <tunneladdress>10.0.1.2/32</tunneladdress>
            <serveraddress/>
            <serverport/>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>
and all of my firewall rules:

Code: [Select]

<nat>
    <outbound>
      <mode>hybrid</mode>
      <rule/>
    </outbound>
    <rule>
      <protocol>tcp/udp</protocol>
      <interface>lan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>Allow PiHole to reach external DNS servers</descr>
      <tag/>
      <tagged/>
      <poolopts/>
      <associated-rule-id/>
      <nordr>1</nordr>
      <source>
        <address>10.0.0.30/24</address>
      </source>
      <destination>
        <any>1</any>
        <port>53</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1674785066.7003</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781322.0168</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <protocol>tcp/udp</protocol>
      <interface>lan</interface>
      <category/>
      <ipprotocol>inet</ipprotocol>
      <descr>Intercept any outgoing DNS queries and redirect them to PiHole.</descr>
      <tag/>
      <tagged/>
      <poolopts/>
      <associated-rule-id>nat_63d321d5164c60.99056460</associated-rule-id>
      <target>10.0.0.30</target>
      <local-port>53</local-port>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <address>10.0.0.30/24</address>
        <not>1</not>
        <port>53</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1674783657.6567</time>
        <description>/firewall_nat_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781141.0927</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
  </nat>
  <filter>
    <rule uuid="71167ca6-d6a2-414c-a1e5-444754a3e404">
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>wanip</network>
        <port>51820</port>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675680437.0935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675680437.0935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="9e0ebb67-5dd9-441f-a704-2e1396437977">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <network>opt1</network>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675712245.7933</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675712245.7933</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="a141d439-92d0-4138-8b0e-9192a1f29a08">
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <quick>1</quick>
      <source>
        <network>opt1</network>
      </source>
      <destination>
        <network>lan</network>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675712190.5965</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675712190.5965</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="d9dccc48-2d74-4e07-a560-41bdbed103d6">
      <source>
        <network>lan</network>
      </source>
      <interface>lan</interface>
      <statetype>keep state</statetype>
      <protocol>tcp/udp</protocol>
      <ipprotocol>inet</ipprotocol>
      <destination>
        <address>10.0.0.30</address>
        <port>53</port>
      </destination>
      <descr>Intercept any outgoing DNS queries and redirect them to PiHole.</descr>
      <category/>
      <associated-rule-id>nat_63d321d5164c60.99056460</associated-rule-id>
      <created>
        <username>root@10.0.0.107</username>
        <time>1674781141.0917</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="9c46069a-01d2-493b-8da7-f23a543ad197">
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <descr>Default allow LAN to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="ac86a077-2add-43cb-b987-1735d867b6d9">
      <type>pass</type>
      <ipprotocol>inet6</ipprotocol>
      <descr>Default allow LAN IPv6 to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="73cabe68-b833-46a0-bcec-524a0a13d0ce">
      <type>pass</type>
      <interface>opt1</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <network>opt1</network>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@10.0.0.107</username>
        <time>1675682813.5935</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.0.0.107</username>
        <time>1675680539.5684</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
  </filter>

[Demusman]

All you had to do was post the config from the wireguard interface. I believe it's the status page but don't have access to verify right now.
For rules, post screenshots of the rules page with the interfaces at the top included.

I've seen this on this board a ton, not sure what tutorials you guys are following but you're doing this wrong.
The client interface address should be the correct subnet mask, not a /32. The allowed IP's will be the /32. Specifically 10.0.1.2/32 for you.

Change the peer interface address to a /24.

Post your clients config.
It should look like this:

Code: [Select]

[Interface]
PrivateKey = [REMOVED]
Address = 10.0.1.2/24

[Peer]
PublicKey = [REMOVED]
AllowedIPs = 10.0.0.0/24, 10.0.1.1/32
Endpoint = [REMOVED]:51820


[Greelan]

I've seen this on this board a ton, not sure what tutorials you guys are following but you're doing this wrong.
The client interface address should be the correct subnet mask, not a /32. The allowed IP's will be the /32. Specifically 10.0.1.2/32 for you.

You keep stating this, but it is just not true in the context of a road warrior type setup where the "clients" are not relaying traffic. Sure, changing to /24 will work too, but using /32 is not the cause of any issue in this case. It's just a red herring.

Couple of other references for your information:

- section 3 of https://wiki.archlinux.org/title/WireGuard

- step 4 of https://github.com/pirate/wireguard-docs#QuickStart

[guest36829]

Yeah.... I'd say that's a red herring, and I did try doing that during my troubleshooting, but to no avail. From everything I've looked at, all evidence points to be more likely being a firewall problem since it doesn't even seem to be able to respond back, so maybe it was something I did something wrong there or something that is missing. Which is why I posted in these forums 

[cookiemonster]

Can you try to link the images on this forum without having to go to the hosting when clicking? It would help.
You can connect the peer from out to the firewall and the problem is that you can't get to a resource on the LAN once you're connected, right?
Let's clear things a bit. Full configs aren't too easy to read.
We'll need an image of your relevant firewall rules for the interfaces in play.
What will be good to see is the network segment the peer is in, what segment of your internal network you want it to be able to reach and what rules are in place that might allow or prevent it at present.