wireguard setup

[jmcgee]

I am trying to setup my windows laptop to access my home network and route all internet traffic through that connection.
My LAN network is 192.168.1.1.  The opensense router is at 192.168.1.1 and all the devices follow that.

I am confused about what network to present to the remote clients. I used this guide.
https://0x2142.com/how-to-set-up-wireguard-on-opnsense/?utm_source=YouTube&utm_campaign=opnwireguard



The windows laptop wiregaurd client stops with this:

2023-02-21 14:24:03.163: [TUN] [WindowsOPensnce] Starting WireGuard/0.5.3 (Windows 10.0.19045; amd64)
2023-02-21 14:24:03.163: [TUN] [WindowsOPensnce] Watching network interfaces
2023-02-21 14:24:03.167: [TUN] [WindowsOPensnce] Resolving DNS names
2023-02-21 14:24:03.456: [TUN] [WindowsOPensnce] Creating network adapter
2023-02-21 14:24:04.181: [TUN] [WindowsOPensnce] Using existing driver 0.10
2023-02-21 14:24:04.192: [TUN] [WindowsOPensnce] Creating adapter
2023-02-21 14:24:04.514: [TUN] [WindowsOPensnce] Using WireGuardNT/0.10
2023-02-21 14:24:04.514: [TUN] [WindowsOPensnce] Enabling firewall rules
2023-02-21 14:24:04.423: [TUN] [WindowsOPensnce] Interface created
2023-02-21 14:24:04.532: [TUN] [WindowsOPensnce] Dropping privileges
2023-02-21 14:24:04.532: [TUN] [WindowsOPensnce] Setting interface configuration
2023-02-21 14:24:04.532: [TUN] [WindowsOPensnce] Peer 1 created
2023-02-21 14:24:04.536: [TUN] [WindowsOPensnce] Monitoring MTU of default v6 routes
2023-02-21 14:24:04.536: [TUN] [WindowsOPensnce] Interface up
2023-02-21 14:24:04.559: [TUN] [WindowsOPensnce] Setting device v6 addresses
2023-02-21 14:24:04.611: [TUN] [WindowsOPensnce] Monitoring MTU of default v4 routes
2023-02-21 14:24:04.611: [TUN] [WindowsOPensnce] Setting device v4 addresses
2023-02-21 14:24:04.682: [TUN] [WindowsOPensnce] Startup complete
2023-02-21 14:24:04.681: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:09.687: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:14.770: [TUN] [WindowsOPensnce] Handshake for peer 1 (192.168.12.133:51820) did not complete after 5 seconds, retrying (try 2)
2023-02-21 14:24:14.770: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:19.928: [TUN] [WindowsOPensnce] Handshake for peer 1 (192.168.12.133:51820) did not complete after 5 seconds, retrying (try 2)
2023-02-21 14:24:19.928: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:25.012: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:30.025: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820)
2023-02-21 14:24:35.140: [TUN] [WindowsOPensnce] Handshake for peer 1 (192.168.12.133:51820) did not complete after 5 seconds, retrying (try 2)
2023-02-21 14:24:35.140: [TUN] [WindowsOPensnce] Sending handshake initiation to peer 1 (192.168.12.133:51820) 

Tunnel address on router Wireguard local is 10.50.50.1/24
Endpoint allowed address on router is 10.50.50.15/32

On windows wireguard client I have Interface Address at 10.50/50.15/32
On windows wireguard client I have DNS at 192.168.1.1

[Greelan]

You may find this of assistance: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

[TheAutomationGuy]

I've never used wireguard myself (so I could be completely off base here), but it seems strange that in the logs you have an address of 192.168.12.133 being listed.  That isn't part of your network architecture that you laid out.  Perhaps you mistyped an address in the setup.

[Greelan]

Good pickup. Looks like the client is configured to use the wrong endpoint.

[jmcgee]

I have tried the Roadwarrior setup guide in past with no luck. So I blew everything out on Router and Windows wireguard client. Rebooted Opensense.  No difference.

Client on Windows machine has Interface set to 10.10.10.2/32
Client on Windows machine has Allowed IPs set to 0.0.0.0/0
Windows machine says it is connected.

Wireguard on Opnsense has 10.10.10.2/32 on Endpoint allowed IPs.
Wireguard on Opnsense has Local has tunnel address set to 10.10.10.1/24
Wireguard status shows Windows machine says peer: XXX(public key)
  allowed ips: 10.10.10.2/32

I have Opnsense router connected to Charter internet modem.  Windows laptop is tethered to my Tmobile Cell Phone.

[Greelan]

Not a lot of detail to go on there. What about firewall rules for wan and wireguard interface? Are you sure public and private keys have been entered in the right spots? Show all of your WG config, hiding private keys

[jmcgee]

Does this help?  Ignore SC in Window Wireguard setup.

[jmcgee]

And the interface

[jmcgee]

And Wireguard Firewall rules

[Greelan]

One immediate thing that jumps out is that the public key on the client config for the peer (ie OPNsense) does not match the public key in the local config on OPNsense.

[jmcgee]

you are absolutely CORRECT!  Thank you!!! I have access though Opnsense to the internet and to my devices inside the network.

[jmcgee]

I spoke too soon. Somehow I enable WIFI on the phone and apparently it was going thought that, not the VPN. Once I turned that off, no connection.  Here is log from Windows machine.

2023-02-23 17:39:12.619247: [TUN] [HomeWireguard] Starting WireGuard/0.5.3 (Windows 10.0.19045; amd64)
2023-02-23 17:39:12.619247: [TUN] [HomeWireguard] Watching network interfaces
2023-02-23 17:39:12.621330: [TUN] [HomeWireguard] Resolving DNS names
2023-02-23 17:39:12.621330: [TUN] [HomeWireguard] Creating network adapter
2023-02-23 17:39:12.889536: [TUN] [HomeWireguard] Using existing driver 0.10
2023-02-23 17:39:12.893324: [TUN] [HomeWireguard] Creating adapter
2023-02-23 17:39:13.117849: [TUN] [HomeWireguard] Using WireGuardNT/0.10
2023-02-23 17:39:13.118353: [TUN] [HomeWireguard] Enabling firewall rules
2023-02-23 17:39:13.062990: [TUN] [HomeWireguard] Interface created
2023-02-23 17:39:13.124101: [TUN] [HomeWireguard] Dropping privileges
2023-02-23 17:39:13.124101: [TUN] [HomeWireguard] Setting interface configuration
2023-02-23 17:39:13.125130: [TUN] [HomeWireguard] Peer 1 created
2023-02-23 17:39:13.128680: [TUN] [HomeWireguard] Monitoring MTU of default v6 routes
2023-02-23 17:39:13.129678: [TUN] [HomeWireguard] Setting device v6 addresses
2023-02-23 17:39:13.128680: [TUN] [HomeWireguard] Interface up
2023-02-23 17:39:13.167642: [TUN] [HomeWireguard] Monitoring MTU of default v4 routes
2023-02-23 17:39:13.167642: [TUN] [HomeWireguard] Setting device v4 addresses
2023-02-23 17:39:13.172146: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:13.196460: [TUN] [HomeWireguard] Startup complete
2023-02-23 17:39:18.313660: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:23.363984: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:28.436557: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:33.448411: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:38.452271: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:43.464684: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:48.472969: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)
2023-02-23 17:39:53.514083: [TUN] [HomeWireguard] Handshake for peer 1 (35.134.114.134:51820) did not complete after 5 seconds, retrying (try 2)
2023-02-23 17:39:53.514083: [TUN] [HomeWireguard] Sending handshake initiation to peer 1 (35.134.114.134:51820)

[Demusman]

Do a sniff on the Wan port 51820, do you see any traffic?

[jmcgee]

how do I do a sniff on port 51820?  I used Netstat on Android but nothing.

[jmcgee]

OK I went through setup again, and I have connection from the Android phone over Tmobile network to my Opnsense router.  I can browse the internet and get to the router at 192.1681.1.  Where would I look to change it to see rest of internat network.