Problem with Wireguard RoadWarrior Setup

Started by mw88, January 06, 2024, 11:25:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 06, 2024, 11:25:22 PM
Hi. I'm quite new to networking with opnsense and I'm trying to setup wireguard to access my home network remortely while working abroad.

As far as I'm concerned, this seems to be the official guide to follow.

However, after going through all the steps in the way detailed below, I cannot ping any of the services in my home network.

Can you help me debug this setup or point me to what is going wrong here?

Setup
Home location
opnsense 23.7.11-amd64 is running in a VM on proxmox with interfaces into different VLANs, e.g.
VLAN2: home, 10.0.2.0/24
VLAN9: WAN (I have to run everything on one physical NIC, so my cable modem is just on a tagged port of the main switch, while the opnsense VM is on a trunk port)
The WAN interface is assigned the public ipv4 a.b.c.d and and ipv6 aa:bb:cc::dd from my /60 subnet.
A Firewall rule is in place (temporarily), such that I can ping my opnsense router from the remote location.

Remote location
Sadly, only ipv4 in remote location: 192.168.10.0/24.
I have little influence about this.

Wireguard
Following the guide, I have the following settings:

Step 1
os-wireguard 2.6

Step 2 - Instance
Code Select

Name             : HomeWireGuard
Public key       : public-key-server=
Private key      : private-key-server=
Listen port      : 51820
Tunnel address   : 10.10.10.1/24
Peers            : mw88Test

* later I want to work with ipv6 as well, after ipv4 works

Step 3 - peer
Code Select

Name        : mw88Test
Public key  : public-key-client=
Allowed IPs : 10.10.10.3/32

* no DNS server for now, I want to get it working based on IPs first

Code Select
Step 4 - restart
done, is self-explanatory

Step 5 - interface
(a)I assigned interface opt4 to device wg2 as [HomeWireGuard], no IP assignment is possible.
(b) I didn't create an outbound NAT rule.

Step 6 - firewall rules
I created the rules as secribed, as well as temporary floating  ICMP rules from any source to any destination for protocol icmp (I verified these rules work).
(a) I created one normalization rule for ipv4+ipv6.

Step 7 - Client
I'm on Windows 11, using the official WG app on version 0.5.3.
My config looks like this:
Code Select

Name: mw88Test
Public key: public-key-client=

[Interface]
PrivateKey = private-key-client=
Address = 10.10.10.3/24

[Peer]
PublicKey = public-key-server=
AllowedIPs = 10.10.10.1/32, 10.0.2.1/24
Endpoint = a.b.c.d:51820


Problem

  • I can activate the tunnel on the client, and when starting a ping, I see Bytes sent, but do not receive any. How do I verify, that the connection was successful?
  • Ping to the VLAN2 interface of opnsense, 10.0.2.1, just times out.

I'd be glad to receive any pointers.
January 07, 2024, 12:59:45 AM #1
Caveat: I do not use Windows. However, I see no particular reason why IP addressing structure should be different.

Your WG setup on Opnsense looks normal.

On my computer / phone / pad things, Interface has address /32, not /24 as you have it.
Peers has allowed IPs 0.0.0.0/0, not your address groups.
I put 9.9.9.9 into Interface DNS so there would be no glitches on testing.

All else is the same or equivalent.

Try those changes.
Deciso DEC697
+crowdsec +wireguard
January 07, 2024, 01:48:58 PM #2
Thank you for your suggestions, I tried that:

Code Select

# client wg config
++ DNS = 9.9.9.9

-- Address = 10.10.10.3/24
++ Address = 10.10.10.3/32

-- AllowedIPs = 10.10.10.1/32, 10.0.2.1/24
++ AllowedIPs = 0.0.0.0/0


Afterwards, I connected the tunnel and issued
Code Select

ping 10.0.2.1 -t

ping 10.10.10.1 -t

which again only produced timeouts.

Temporarily, setting the allowed IPs to "all" would be an acceptable solution, however, when doing so I lose the ability to connect via TeamViewer to a machine in my home network and therefore I lose access to the web interface of opnsense while the wg tunnel is up.

I think, I need more advice, in particular I need help to debug whether the WG connection is established at all.

In your setup, are you able to ping interfaces in the same subnet as your wg interface?
Do I perhaps need to tag the incoming traffic from the wg interface with a VLAN tag, and how can I do this?
January 07, 2024, 08:29:33 PM #3
Update: After I read through this thread, I deleted all my configurations and started from scratch. In particular, I also deleted all disabled instances of wireguard, and made generous use of wireguard service restarts after each step (not that I hadn't restarted umerous times aerlier).

In my opinion, verything is as before, with one key difference: it suddenly works.

I have no clue, why it didn't work before. I will keep my eyes open while continuing to configure.
Print
Go Up Pages1
User actions