Wireguard Client Issues Passing Traffic

Started by shrekfx, March 25, 2023, 11:36:36 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 25, 2023, 11:36:36 PM
I'm going to apologize right off the bat for the long post.  I have been working on this for days now and for the life of me, can't figure out what is wrong.  I have removed the VPN tunnel, rules for it, and started over again using the OPNsense guide https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html.

I'll post my configuration and hoping someone smarter then me can figure out what I'm doing wrong.

First I have the Local and Endpoint set up with the keys in the VPN/Wireguard.

https://filerun.photosandbrew.xyz/wl/?id=vVuBCdi6DjdfxF89D76dfd7DD8aWp9nI

https://filerun.photosandbrew.xyz/wl/?id=OjcufWbascryZFlkGot6SqkbXatTcnbk

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk

I then created the gateway.

https://filerun.photosandbrew.xyz/wl/?id=btQam2dAXALq5ikCqPmQOtasvrLnrRPB

I created two aliases.  One for my device to be used on this tunnel and one for the local access as outlines in the guide.

https://filerun.photosandbrew.xyz/wl/?id=xP2mxmoBSrH3Hojb6OJgr7E8zXP1a3jh

https://filerun.photosandbrew.xyz/wl/?id=adsCcbLPmQJ6pDgwwZgwGRYdgqqpJhbx

Next I created the firewall rules.
Lan Rules

https://filerun.photosandbrew.xyz/wl/?id=Du7AJQfide57IuyfeXLlo4zm7x9eSVAw

https://filerun.photosandbrew.xyz/wl/?id=lpTzcJm6YzE4dlYS2PI0xBMjsDrtQc0b

Floating Rules

https://filerun.photosandbrew.xyz/wl/?id=9y85DwAr8qoPbpFmJWScvtHbyGtRzcYi

Outbound NAT rules

https://filerun.photosandbrew.xyz/wl/?id=Tu6KIVQm312djBTktfmmLXb2PPmo1vd1

I did not put in a kill switch yet.  But this is everything I've done with this.  I'm able to connect to my local resources, but cannot get out to the internet.  In the future, I want to start using Adgaurd on my OPNsense and turn of Unbound, i'll have to tackle that later.  What am I missing?
March 27, 2023, 03:06:11 PM #1
I follow the document settings, but I can't Passing Traffic. I have tested many settings, but the problem still exists.
March 27, 2023, 03:54:46 PM #2
OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?
March 27, 2023, 08:08:04 PM #3
I set up exactly according to this document, and I can access the LAN resources of the server, but the Internet cannot be accessed through the server. I have tested using Openwrt or Windows Wireguard to connect to the server and everything is normal, but there is a problem with OPNsense as a client accessing Internet through the server. This problem plagues me. It's been a long time, can anyone help me? Thanks
March 28, 2023, 12:12:20 AM #4
Rather than hijacking someone else's thread, make your own post and get help there. Your issue and setup may be completely different to the OP's and you are only confusing things.
March 28, 2023, 03:09:59 AM #5
Quote from: Greelan on March 27, 2023, 03:54:46 PM
OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?

You know, that's a good question.  I was tired when I was grabbing screen shots and I think i just started masking any IP I saw. 

The tunnel address is a /16 since it called for it on the SurfShark config and it matched the instructions.

For the gateway on the OPNsense local config, I might be confused on what you mean by this. 

This is the gateway of the VPN tunnel

https://filerun.photosandbrew.xyz/wl/?id=zc3XfZ6hHww08cb0vagQmcc2dkYwBzrX

This is what I have set in the gateway section in OPNsense.

https://filerun.photosandbrew.xyz/wl/?id=cdJmySSmHNzb0cNXHaSf3SdrCGvY96bB

It shows online to the endpoint IP.  When I do a traceroute through that gateway, I see it go through the tunnel so I would think the tunnel works... Right??
March 28, 2023, 03:46:41 AM #6
Here is the .conf from surfshark that I am using. I haven't done anything with the DNS IP since I want the VPN to us Adguard for DNS.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820
March 28, 2023, 03:57:06 AM #7
So I rebuilt the rules again and this is weird. I can traceroute from the vpn tunnel and it connects and completes. I have my cell phone set to be the only thing to route through it and I can get to google, but I can't get to any other domain. 

https://filerun.photosandbrew.xyz/wl/?id=IOYS7ym9NBNW7oOgLEQw4LuAVH0BKx5C
March 28, 2023, 05:45:22 AM #8
A traceroute from the phone would be more useful
March 28, 2023, 07:13:59 AM #9
Here is the traceroute.  It hits my OPNsense but that's as far as it gets.

https://filerun.photosandbrew.xyz/wl/?id=6CdlqvkBEjfsimdwSkepu30tA6OcnSwL

Do want to add, when I disable this rule, my connection goes over my normal ISP connection and my traceroute goes all the way through.

https://filerun.photosandbrew.xyz/wl/?id=zLf8ljlHIo1ddxQvdBXMy0oQ7QLMHTjg



March 28, 2023, 08:18:09 AM #10
Quote from: shrekfx on March 25, 2023, 11:36:36 PM

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk

You need to assign IPv4 address (10.14.0.2) to the interface.
Also might need to tick the "This interface does not require an intermediate system to act as a gateway".
March 28, 2023, 08:25:06 AM #11
You actually don't. It will be auto-assigned.

OP, I will do a closer review of your config and let you know any further thoughts I have.

Do you know the tunnel IP at the SurfShark endpoint?
March 28, 2023, 08:43:13 PM #12
Would this be the endpoint at the end of this config.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820
March 29, 2023, 12:10:29 PM #13
So I've gone through your configs and nothing seems immediately wrong.

A few questions:

- when the tunnel is up, do you see handshake and traffic up and down in the status tab for WG on OPNsense?

- can you try a gateway IP that instead of one below the tunnel address, try one above (10.14.0.3). I have a sense that 10.14.0.1 might be the tunnel endpoint IP at SurfShark. While that should still work, be good to try a unique one

- this looks like your second WG interface. No conflicts with the first one?

- to rule out DNS issues, try a traceroute from your phone to 8.8.8.8 or 1.1.1.1

- what DNS is the phone actually using? Can it reach it when the tunnel is up?
March 29, 2023, 08:51:48 PM #14
Yes, when the tunnel is up I see the handshake and there is the small amount of keep alive traffic.

I'll try changing the gateway and see if that does anything.

It's my 2nd one yes.  The first one is a road warrior setup to connect to my network from outside.  No conflicts there, all on a different subnet.  When I am connected to that VPN, I am able to get into my network and get out to the internet just fine over my ISP connection.  Havent even tried over the VPN out to surfshark yet. lol
 
I'll double check pinging those IP addresses, but I'm sure i was able to before, but will do it again.

When not on the tunnel, my phone is set to use the DNS handed off by OPNsense which is set for Adguard Home, which is installed on the OPNsense.  I have took that off and ran it through Unbound DNS and have tried running it only through 1.1.1.1 and 8.8.8.8 and still no connection out to the internet via the VPN.
Print
Go Up Pages1 2
User actions