Wireguard Client Issues Passing Traffic

[shrekfx]

I'm going to apologize right off the bat for the long post.  I have been working on this for days now and for the life of me, can't figure out what is wrong.  I have removed the VPN tunnel, rules for it, and started over again using the OPNsense guide https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html.

I'll post my configuration and hoping someone smarter then me can figure out what I'm doing wrong.

First I have the Local and Endpoint set up with the keys in the VPN/Wireguard.

https://filerun.photosandbrew.xyz/wl/?id=vVuBCdi6DjdfxF89D76dfd7DD8aWp9nI

https://filerun.photosandbrew.xyz/wl/?id=OjcufWbascryZFlkGot6SqkbXatTcnbk

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk

I then created the gateway.

https://filerun.photosandbrew.xyz/wl/?id=btQam2dAXALq5ikCqPmQOtasvrLnrRPB

I created two aliases.  One for my device to be used on this tunnel and one for the local access as outlines in the guide.

https://filerun.photosandbrew.xyz/wl/?id=xP2mxmoBSrH3Hojb6OJgr7E8zXP1a3jh

https://filerun.photosandbrew.xyz/wl/?id=adsCcbLPmQJ6pDgwwZgwGRYdgqqpJhbx

Next I created the firewall rules.
Lan Rules

https://filerun.photosandbrew.xyz/wl/?id=Du7AJQfide57IuyfeXLlo4zm7x9eSVAw

https://filerun.photosandbrew.xyz/wl/?id=lpTzcJm6YzE4dlYS2PI0xBMjsDrtQc0b

Floating Rules

https://filerun.photosandbrew.xyz/wl/?id=9y85DwAr8qoPbpFmJWScvtHbyGtRzcYi

Outbound NAT rules

https://filerun.photosandbrew.xyz/wl/?id=Tu6KIVQm312djBTktfmmLXb2PPmo1vd1

I did not put in a kill switch yet.  But this is everything I've done with this.  I'm able to connect to my local resources, but cannot get out to the internet.  In the future, I want to start using Adgaurd on my OPNsense and turn of Unbound, i'll have to tackle that later.  What am I missing?

[metacyx]

I follow the document settings, but I can't Passing Traffic. I have tested many settings, but the problem still exists.

[Greelan]

OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?

[metacyx]

I set up exactly according to this document, and I can access the LAN resources of the server, but the Internet cannot be accessed through the server. I have tested using Openwrt or Windows Wireguard to connect to the server and everything is normal, but there is a problem with OPNsense as a client accessing Internet through the server. This problem plagues me. It's been a long time, can anyone help me? Thanks

[Greelan]

Rather than hijacking someone else's thread, make your own post and get help there. Your issue and setup may be completely different to the OP's and you are only confusing things.

[shrekfx]

OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?

You know, that's a good question.  I was tired when I was grabbing screen shots and I think i just started masking any IP I saw. 

The tunnel address is a /16 since it called for it on the SurfShark config and it matched the instructions.

For the gateway on the OPNsense local config, I might be confused on what you mean by this. 

This is the gateway of the VPN tunnel

https://filerun.photosandbrew.xyz/wl/?id=zc3XfZ6hHww08cb0vagQmcc2dkYwBzrX

This is what I have set in the gateway section in OPNsense.

https://filerun.photosandbrew.xyz/wl/?id=cdJmySSmHNzb0cNXHaSf3SdrCGvY96bB

It shows online to the endpoint IP.  When I do a traceroute through that gateway, I see it go through the tunnel so I would think the tunnel works... Right??

[shrekfx]

Here is the .conf from surfshark that I am using. I haven't done anything with the DNS IP since I want the VPN to us Adguard for DNS.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820

[shrekfx]

So I rebuilt the rules again and this is weird. I can traceroute from the vpn tunnel and it connects and completes. I have my cell phone set to be the only thing to route through it and I can get to google, but I can't get to any other domain. 

https://filerun.photosandbrew.xyz/wl/?id=IOYS7ym9NBNW7oOgLEQw4LuAVH0BKx5C

[Greelan]

A traceroute from the phone would be more useful

[shrekfx]

Here is the traceroute.  It hits my OPNsense but that's as far as it gets.

https://filerun.photosandbrew.xyz/wl/?id=6CdlqvkBEjfsimdwSkepu30tA6OcnSwL

Do want to add, when I disable this rule, my connection goes over my normal ISP connection and my traceroute goes all the way through.

https://filerun.photosandbrew.xyz/wl/?id=zLf8ljlHIo1ddxQvdBXMy0oQ7QLMHTjg

[zan]

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk

You need to assign IPv4 address (10.14.0.2) to the interface.
Also might need to tick the "This interface does not require an intermediate system to act as a gateway".

[Greelan]

You actually don't. It will be auto-assigned.

OP, I will do a closer review of your config and let you know any further thoughts I have.

Do you know the tunnel IP at the SurfShark endpoint?

[shrekfx]

Would this be the endpoint at the end of this config.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820

[Greelan]

So I've gone through your configs and nothing seems immediately wrong.

A few questions:

- when the tunnel is up, do you see handshake and traffic up and down in the status tab for WG on OPNsense?

- can you try a gateway IP that instead of one below the tunnel address, try one above (10.14.0.3). I have a sense that 10.14.0.1 might be the tunnel endpoint IP at SurfShark. While that should still work, be good to try a unique one

- this looks like your second WG interface. No conflicts with the first one?

- to rule out DNS issues, try a traceroute from your phone to 8.8.8.8 or 1.1.1.1

- what DNS is the phone actually using? Can it reach it when the tunnel is up?

[shrekfx]

Yes, when the tunnel is up I see the handshake and there is the small amount of keep alive traffic.

I'll try changing the gateway and see if that does anything.

It's my 2nd one yes.  The first one is a road warrior setup to connect to my network from outside.  No conflicts there, all on a different subnet.  When I am connected to that VPN, I am able to get into my network and get out to the internet just fine over my ISP connection.  Havent even tried over the VPN out to surfshark yet. lol
 
I'll double check pinging those IP addresses, but I'm sure i was able to before, but will do it again.

When not on the tunnel, my phone is set to use the DNS handed off by OPNsense which is set for Adguard Home, which is installed on the OPNsense.  I have took that off and ran it through Unbound DNS and have tried running it only through 1.1.1.1 and 8.8.8.8 and still no connection out to the internet via the VPN.