WireGuard VPN not functioning despite following guide precisely

[strongthany]

Thank you. I followed your steps and can confirm, I am not getting a handshake. So likely there is something wrong with my key pairs. I'll double check what I have set for where and made adjustments if needed.

Just so I'm clear, the pub key in the local config would go into the PublicKey entry under the [Peer] section on the client(laptop) config, correct?

I re-went through and confirmed the keys are correct, following the road warrior guide. I can confirm the keys are correct, but still no dice when trying to get the handshake

~$ WG-UP
Warning: `/etc/wireguard/wg0.conf' is world accessible

• ip link add wg0 type wireguard
  
• wg setconf wg0 /dev/fd/63
  
• ip -4 address add 10.0.2.2/24 dev wg0
  
• ip link set mtu 1420 up dev wg0
  interface: wg0
    public key: cpp(this is the key generated on my client by running sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key. This is also the key on VPN --> WireGuard --> Endpoint --> Public Key
    private key: (hidden)
    listening port: 34309
  
  peer: z1v(confirmed to be same as what's on VPN --> WireGuard --> Local --> Public Key)
    endpoint: PUBLIC.IP.ADDRESS:51820
    allowed ips: 10.0.2.0/24
  ~$ ping 10.0.2.1
  PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
  ^C
  --- 10.0.2.1 ping statistics ---
  6 packets transmitted, 0 received, 100% packet loss, time 5084ms
  
  ~$ sudo wg
  interface: wg0
    public key: cpp1aArw8UcKd6FU09IQ7i/bQCtdfzTz1DBHSsi+QBY=
    private key: (hidden)
    listening port: 34309
  
  peer: z1vcnYO+25OXVTxTDmoBby6n6beXVUDtRhQr0LyEomA=
    endpoint: 162.219.228.99:51820
    allowed ips: 10.0.2.0/24
    transfer: 0 B received, 296 B sent

[Monviech (Cedrik)]

If the handshake doesn't work, it's really either of these things:
- Key Pairs don't match
- Request Packet doesn't get to the wireguard socket of the OPNsense
- Response Packet doesn't get back to the client.

So check these things again:
1. Is the IP in your resolved FQDN really the same as "WAN address" of your OPNsense? Maybe you have CGNAT or something? Or the FQDN is wrong?
2. Does Wireguard really listen on port 51820? "netstat -an"
3. Is the Firewall Rule on your WAN interface working as expected? Enable log and look for packets. tcpdump on the WAN interface when you send pings from your client. Look for udp 51820 packets.
4. I know it sounds like a pain, but if still nothing works, triple check the public and private key pairs. If they dont match, wireguard won't even respond.

Wireguard isn't a quick and easy protocol, troubleshooting it is way harder than IPsec since it doesn't give you expansive logs to work with. In IPsec you can troubleshoot the IKE key exchange and everything. With Wireguard, it either works or doesn't, and if it doesn't work its a guessing game.

[strongthany]

@Monviech I will check the firewall rule on the WAN. I double checked and can confirm the IP I am using for the WAN address is correct(couldn't get duckdns figured out to get a FQDN for connecting, but that's an issue for later). Based on the information I posted last, does the key information look correct to you? I am hoping for some assistance in regards to ensuring the pair looks correct. If you need more information, please let me know.

[Monviech (Cedrik)]

I dont know if the keys look correctly. Its a public/private key pair after all. But maybe you should try to set up wireguard between two linux peers first to get a feeling for it. If you get some hands on experience with a working setup, Im sure you can solve your problems with the OPNsense. Im running complex wireguard scenarios on it since years, but starting out with wireguard can be tough.

https://www.wireguard.com/quickstart/

Its extremely helpful to read this too:
https://www.wireguard.com/#conceptual-overview