Can't connect to Ubuntu server via Wireguard

[MikeLock]

Hello all,

I have just moved away from my old Fortunate FG100D to an OPNsense based rack server. Loving it so far! Had some issue's, but they were all user-errors (this one too probably ;D)

The issue that I have is very strange. When I set up an 'allow all' rule from my 'Internet VLAN', I can SSH to my Ubuntu server on my 'Server VLAN'. When I use Wireguard (the package from OPNsense, I cannot SSH to the ubuntu server. The 'State' mentioned in 'Diagnostics' stays on 'CLOSED:SYN_SENT'. Wg1 is mapped to the 'Wireguard VLAN' interface.

The closed seems to say that the Wireguard VLAN can't reach the server, even though it should be reachable according the the allow all rule from the Wireguard VLAN. Everything else is working as expected, I can even SSH in to the OPNsense box.

Did I miss something?

[MikeLock]

I am still having the issue. I was hoping that some update would fix this eventually.
I have attached the Wireshark logging from my laptop to this post, as well as the Wireguard VLAN rule.

Today I gave it another thought, it could be my laptop that is causing the problem. But after a trace route, I could see it reaching the Wireguard 'gateway' at 192.168.40.1. So the problem must be in the OPNsense system (or in my configuration of course).

Anyone have a tip on where to look?

[Monviech (Cedrik)]

Probably MSS issue? Heres the fix:
Check the part about MTU and normalization rules (highlighted green)

https://github.com/opnsense/docs/pull/498/files#diff-ea8f32b1d3a75a756d1daaf6a9aefbdf601428e7ac7f21ba480f4d2ef1696f20

[MikeLock]

Probably MSS issue? Heres the fix:
Check the part about MTU and normalization rules (highlighted green)

https://github.com/opnsense/docs/pull/498/files#diff-ea8f32b1d3a75a756d1daaf6a9aefbdf601428e7ac7f21ba480f4d2ef1696f20

Thanks, I have implemented it. I was very hopeful, but it didn't fix my issue :(

Should have done this before, never did, but I am also not able to ping the server while on Wireguard. Stopping my VPN connection makes pinging to the server working again. The strange thing is, that I can ping everything on my network via my temporary 'Allow all' rule specifically for my laptop. But using the same rule for Wireguard doesn't work for the server, everything else works. The logging of OPNsense shows that the ping/ssh is allowed, but still I am getting a timeout.

Basically, I can do everything I want on my home network via Wireguard. Except connecting to my home server.

[Monviech (Cedrik)]

- Does your ubuntu home server have ufw enabled with firewall rules not allowing the wireguard IP range?

ufw status

- Also install tcpdump on your ubuntu server and run:

tcpdump -i any proto ICMP

And then ping from your laptop whilte its in wireguard and see if any paket gets there.

- Does your ubuntu server use the opnsense as default gateway?

- Also, is your server in a different subnet (vlan) than your other devices. Check the allowed IPs of Wireguard on your laptop to see if its either 0.0.0.0/0 or all IP ranges that you have at home. For example 192.168.1.0/24 172.16.1.0/24 etc... otherwise the paket isnt allowed through wireguard.

[MikeLock]

- Does your ubuntu home server have ufw enabled with firewall rules not allowing the wireguard IP range?

ufw status

- Also install tcpdump on your ubuntu server and run:

tcpdump -i any proto ICMP

And then ping from your laptop whilte its in wireguard and see if any paket gets there.

- Does your ubuntu server use the opnsense as default gateway?

- Also, is your server in a different subnet (vlan) than your other devices. Check the allowed IPs of Wireguard on your laptop to see if its either 0.0.0.0/0 or all IP ranges that you have at home. For example 192.168.1.0/24 172.16.1.0/24 etc... otherwise the paket isnt allowed through wireguard.

Thanks, you have pushed me in the right direction!

ufw is inactive
Server is in another VLAN
Server uses OPNsense as the gateway
Wireguard allows all ip's

But your TCP dump tip was glorious. See the attachment. It received everything correctly, but the reply was sent to a loopback interface. And that changed my big question mark to an exclamation mark.
I migrated Wireguard from the server to OPNsense, but I forgot to delete the VLAN interface (VLAN40) on my ubuntu server which has the same IP range. That VLAN also wasn't passed to the server anymore.

Removing the VLAN from my server fixed the issue.

Many many many thanks!

[Monviech (Cedrik)]

Awesome, it's great when things finally work. :)

[MikeLock]

Yeah! This was the only thing that didn't work out of the box when migrating from the fortigate and that was my own fault ;D