Wireguard connects - but no connectivity

Started by this.is.tom, March 19, 2024, 09:29:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 19, 2024, 09:29:05 AM Last Edit: March 19, 2024, 09:33:18 AM by this.is.tom
Hello everyone,
I am trying to get Wireguard up and running for days and I am lost now.

The Wireguard setup has been configured according to: https://docs.opnsense.org/manual/how-tos/wireguard-client.html#
The tunnel address of the instance is 192.168.1.0/24
For the peer I added
Code Select
192.168.1.10/32 (the same IP I use on my client) and I add
Code Select
0.0.0.0/0 (because I don't want split tunneling but everything to go through the tunnel).

I added the NAT and Firewall rules as well.

When I connect via the official Wireguard client on my Mac Book it appears to be working. However I am unable to access any ressources, neither internal ones (10.0.1.0/24) nor any public ones like 9.9.9.9 for DNS or any URLs.

The client configuration is:
Code Select
[Interface]
PrivateKey = SECRET=
Address = 192.168.1.10/32
DNS = 10.0.1.20

[Peer]
PublicKey = PUBKEY=
AllowedIPs = 0.0.0.0/0
Endpoint = My-public-IP-of-OPNsense:51820


Anyone any idea what could be the issue here or where to look for more infos?

Thanks in advance!
Tom

PS: It seems like some automatic NAT rules or something similiar is causing even more issues. As soon as I connect one client for test via Wireguard, disconnect the client and try to access the internet, everything fails. But not only for this client but for all devices on my network.
The only solution is to disable the Wireguard interface on the opnsense.
March 19, 2024, 01:39:19 PM #1
I'll be happy to jump in on this topic. I just did the same today in my home network.

I read this guide: https://www.zenarmor.com/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense#8-enabling-wireguard-server-on-opnsense
and ofc the official OPNsense documentation, which I found of limited use as it's 90% the same as the configuration pages with a bit more text to it: https://docs.opnsense.org/manual/vpnet.html#id4

Things I don't understand:

* Inside the instance in OPNsense and Wireguard, I'm supposed to enter a tunnel address. Is this the network of the VPN? So I shouldn't use the normal LAN netwerk, but a different CIDR range? So my LAN is 192.168.0.0/21, but for the VPN I must use something else, like 10.0.0.1/24 or 192.168.10.0/24 ? Or can it be the same if I'm not depending on network isolation?

* In the peers, I must configure a PSK, but neither in the Android app nor the Windows app, there's anywhere where I should have to enter such key. I understand that the pub/priv key is kinda PKI-like, so why add a PSK as well?

* Why do peers need an allowed IP? Is this because I can set the IP address in the wireguard client, too, and they must be the same network? What is the enpoint address and the endpoint port that I need to set in the peer? "Set public IP address the endpoint listens to" - Why would the endpoint/client listen to a public address? It should be the one it connects to, but not "listen"?

* I configured a firewall rule that allows simply every traffic coming from the WireGuard group/net. (see screenshot). According to internet resources, the WireGuard (Group) interface applies simply to all WireGuard instances.

* When I do an nmap scan on OPNsense port 51820, nothing appears or at least it says "open/filtered", but does not show any service (nmap -p 51820 192.168.0.1 -sUV - yes, I did a service scan because it's UDP). It also does not work when I scan the VPN IP 10.0.0.1 of OPNsense. That seems odd. I don't see anywhere in OPNsense where I would configure that the VPN should *not* be accessible from the LAN, so it should show, I think?
March 19, 2024, 01:40:32 PM #2
Quote from: this.is.tom on March 19, 2024, 09:29:05 AM
When I connect via the official Wireguard client on my Mac Book it appears to be working. However I am unable to access any ressources, neither internal ones (10.0.1.0/24) nor any public ones like 9.9.9.9 for DNS or any URLs.

Hi Tom,

I found that this might be a false-positive. My Windows app always shows "connected" even when I enter completely wrong IPs and credentials. Have a try at that, too, to see if something changes when you enter wrong credentials.
March 20, 2024, 10:59:33 AM #3
Hi Mombro,
glad I am not the only one being confused  ::)

I am also struggling with the unclear terms and who they are supposed to be configured.

I found the same references as you did, but nothing worked so far. If I have made some progress I will keep you posted!
March 20, 2024, 01:29:22 PM #4
For WG troubleshooting, best is to provide screenshots from server and client config. Keys must be identifiable, so leave the first 3 chars visible.
i am not an expert... just trying to help...
April 02, 2024, 10:05:47 PM #5
Hi There

i think trying to do the same thing but with a wire guard connection directly to surfshark, Did you ever get to the bottom of this?

I have posted my set up and struggles trying to do the same thing in opnsense here

https://forum.opnsense.org/index.php?topic=39783.
Print
Go Up Pages1
User actions