WireGuard client connects but can't access internet

Started by alto, September 10, 2023, 11:02:02 AM

Previous topic - Next topic
I've followed the Wireguard Road Warrior setup guide and HomeNetworkGuy's guide for the same thing to set up my Wireguard server and clients. I have my client able to connect to the server, but I can't reach the internet.

What I have so far is:

  • Wireguard interface with assignment
  • Client / server Wireguard configuration working, client is able to connect
  • Firewall rule for the Wireguard network set to allow access to port 53 on the Wireguard address
  • Firewall rule for the Wireguard network set to allow access to all non-RFC1918 networks
  • Firewall rule for the Wireguard network set to allow access to my "Trusted" network
What I want to end up with is that my connected WG clients should be able to access clients on the "Trusted" network and the internet. I'm currently able to ping hosts on the Trusted network, so this seems to be working okay for now.

My WG client isn't able to ping 192.168.1.1 for DNS (I'm looking to use the Unbound DNS server with query forwarding to the AdGuard Home plugin for ad filtering). I'm not sure if I'm supposed to be able to, or if this should go through 192.168.100.1 (192.168.100.0/24 is my WG network). I'm also not able to ping 1.1.1.1 from the WG client, which I don't quite understand since I have a rule that allows traffic to all non-private networks and both guides state that NAT egress rules should be automatically created?

Currently I have all firewall rules set up on Wireguard interface, nothing on the "Wireguard (Group)" entry in the firewall rules list, this is empty and I'm not sure what to do with it as it's not mentioned in any of the guides.

Do you have a matching outbound NAT rule on your WAN interface?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on September 10, 2023, 12:09:22 PM
Do you have a matching outbound NAT rule on your WAN interface?

Yes, there is an auto-created outbound NAT rule for all networks, including the WireGuard one.

Use tcpdump on all relevant interfaces to observe where packets start to fail.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on September 10, 2023, 01:09:32 PM
Use tcpdump on all relevant interfaces to observe where packets start to fail.

I tried packet capture between two sets of interfaces.

First from WireGuard to Trusted, here I can successfully ping an IP in the Trusted network and packet capture shows me the packets as expected.

Then I tried WireGuard to WAN interface and netcatting 1.0.0.1 port 53, in this case netcat fails to reach the destination and packet capture doesn't catch anything either.

I'm not sure else I can look at, what path are the packets expected to take from the WireGuard interface?

Quote from: alto on September 11, 2023, 08:35:37 AM
Quote from: Patrick M. Hausen on September 10, 2023, 01:09:32 PM
Use tcpdump on all relevant interfaces to observe where packets start to fail.
Then I tried WireGuard to WAN interface and netcatting 1.0.0.1 port 53, in this case netcat fails to reach the destination and packet capture doesn't catch anything either.
Do the packets come down the WG tunnel and then fail to leave through WAN or do they not arrive at the OPNsense at all? If the latter, what is your "allowed networks" on the client set to?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I think I found the issue. I had accidentally set the egress rule from the Wireguard network to internet invert the source, i.e. it said "! Wireguard net -> allow egress to internet", which didn't work of course.