Roadwarrior and WireGuard - How to get it working?

[knebb]

Hi guys,

I am new to OPNSense and Wireguard and trying to get it up and running with a road warrior as client. I am used to pfSense for years with OpenVPN and it worked fine.

However, I do not get it running with OPNSense/ Wireguard.

I configured the Wireguard on OPNSense based on the documentation and the help of this article.

To configure my Debian11 client I used this link.

Currently my configuration looks like this:
On Debian11:

Code: [Select]

root@www:~# cat /etc/wireguard/wg0.conf
# define the local WireGuard interface (client)
[Interface]

# contents of file wg-private.key that was recently created
PrivateKey = 8OnGEbyl8sJG3456795wVWfGurmyFjIRqkjL16ix0k0=

ListenPort = 39026
# define the remote WireGuard interface (server)
[Peer]

# contents of wg-public.key on the WireGuard server
PublicKey  = 27Pu1yyz2qw7DNF4m+mVn5gD/yS/9BBYp9Yqo+HqVTU=

# the IP address of the server on the WireGuard network
AllowedIPs = 10.160.0.1/32

# public IP address and port of the WireGuard server
Endpoint = dns.name.com:11950

The "local" part on my OPNSense looks like this:

Code: [Select]

root@opnsense2:~ # cat /usr/local/etc/wireguard/wg1.conf
[Interface]
PrivateKey = GCeK43mnQwtekhnG1dgN3eUes8+qYCmA=
Address = 10.160.0.1/24
ListenPort = 11950

[Peer]
# friendly_name = RW-VPN
PublicKey = 27Pu1yy7DNF4m+mVn5g9BBYp9Yqo+HqVTU=
Endpoint = ip.of.rw.client:39026
AllowedIPs = 10.160.0.2/24

I have additional firewall rules to allow the 11950 port as well as all traffic within the tunnel. And I have configured the wg1 interface in the Network section (not sure if needed, though).

Once setup and configured the "wg" command tells me the tunnel is up and running on both sides:

Code: [Select]

root@www:~# wg show wg0
interface: wg0
  public key: 27Pu1yyz2qw7DNF4m+mVn5gD/yS/9BBYp9Yqo+HqVTU=
  private key: (hidden)
  listening port: 39026

And on the server side:

Code: [Select]

root@opnsense2:~ # wg show wg1
interface: wg1
  public key: aNgUGpyjamqFPxbwK0Niy+HyesugijGTm1U=
  private key: (hidden)
  listening port: 11950

peer: 27Pu1yyz2qw7DNFm+mVn5gD/yS/9BBYp9Yqo+HqVTU=
  endpoint: ip.of.client.rw:39026
  allowed ips: 10.160.0.0/24
  transfer: 0 B received, 148 B sent

A "ping" from server to client just give not readable output.
And from client to server tells me something about a key:

Code: [Select]

root@www:~# ping 10.160.0.1
PING 10.160.0.1 (10.160.0.1) 56(84) bytes of data.
From 10.160.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Der notwendige Schlüssel ist nicht verfügbar
From 10.160.0.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Der notwendige Schlüssel ist nicht verfügbar
^C
--- 10.160.0.1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms

Can anyone of you cool guys bring me on track? Thanks a lot!

/KNEBB

[CJ]

Was there a reason you didn't use the official docs?

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

[knebb]

Hi,

you are right- somehow I did not see the correct docs and mixed it up with net-2-net.

However, I now tried again and followed the official documentation you mentioned.

Still no luck

My client is running Debian 11.7 with wireguard v1.0.20210223-1. To be upgraded once Wireshark up and running.

I did add the file /etc/network/interfaces.d/wg0:

Code: [Select]

# indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0

# describe wg0 as an IPv4 interface with static address
iface wg0 inet static

        # the IP address of this client on the WireGuard network
        address 10.10.10.2/32

        # before ifup, create the device with this ip link command
        pre-up ip link add $IFACE type wireguard

        # before ifup, set the WireGuard config from earlier
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf

        # after ifdown, destroy the wg0 interface
        post-down ip link del $IFACE

I did create the the file /etc/wireguard/wg0.conf:

Code: [Select]

# define the local WireGuard interface (client)
[Interface]
#Address = 10.10.10.2/32
# contents of file wg-private.key that was recently created
PrivateKey = 8On*ix0k0=

#ListenPort = 39026
# define the remote WireGuard interface (server)
[Peer]

# contents of wg-public.key on the WireGuard server
PublicKey  = ZA6*ipXg=

# the IP address of the remote network(s)
AllowedIPs = 192.168.8.0/24

# public IP address and port of the WireGuard server
Endpoint = [public ip of server]:51280
There is one issue with the documentation on step 7:
When adding the "address" statement to thew wg0.conf  as written I am getting a parsing error:

Code: [Select]

root@client:/etc# ifup wg0
Line unrecognized: `Address=10.10.10.2/32'
Configuration parsing error
ifup: failed to bring up wg0

So I uncommented it in wg0.conf and added it to /etc/network/interfaces.d/wg0 as shown above.

I created the interface and the rules according to documentation.

But still no luck

On my client I see:

Code: [Select]

root@netcup:/etc# wg
interface: wg0
  public key: 27Pu1yyz*p9Yqo+HqVTU=
  private key: (hidden)
  listening port: 51838

peer: ZA6BNlmf7z*jj32rKDDh5l6WipXg=
  endpoint: publicsrvip:51280
  allowed ips: 192.168.8.0/24
Anyone having hints how to get it up and running?
Thanks!

/KNEBB

[MoonbeamFrame]

On my Debian derivatives (Mint/Cinnamon) I installed wireguard-tools.

Generated the keys using:

$ umask 077
$ wg genkey | tee private.key | wg pubkey > public.key

(I also generate a shared secret)

These were stored in /etc/wireguard/

The fields I set in the conf file are:

[Interface]
Address = x.x.x.x/32
DNS =
PrivateKey =
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey =
PreSharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =

I also use a Wirguard toolbar Applet to start/stop the tunnel.

HTH

[knebb]

Hi,

thanks for replying. Interesting to see your configuration as there is nowhere written down the IP address of the server to connect to.

Anyways. I already mentioned in the [Interface] section my wireguard complains about bad syntax. The "Address="" statement will not work here. I guess it is a version issue. But so far I can not upgrade to up-to-date Debian and I am stuck at v11.


Any other ideas when checking my configuration?

thanks!
/KNEBB

[knebb]

Update:

I had the wron "local" address on my Wireguard server- I entered the network address (10.10.10.0/24) instead of host address (10.10.10.1/24).

Fixed this and now I can ping my wireguard IP from my client.

First success. Now I have to check how I can tell my client to set the additional routes to my local networks when connected. Any hints?

/KNEBB