[SOLVED] Unable to set allowed IPs to '0.0.0.0' for wireguard client

[cookiemonster]

I wonder if someone can give me a hand with this.

I am on OPNsense 23.7.12_5-amd64
Errors take the form of:

Code Select Expand

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '192.168.5.0/24' -interface 'wg1'' returned exit code '1', the output was ''

or

Code Select Expand

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0' -interface 'wg1'' returned exit code '1', the output was ''

I have tried stopping the wireguard service first before modifying it but it is the same behaviour.

Those are the errors when changing or adding those networks to an already configured peer. Currently this peer has allowed ips of: 10.0.0.4/32 and works fine but I want to allow it to also reach my LAN which is 192.168.5.0/24. Also there are VLANs on it.
Clearly I have a setting somewhere that creates a bigger problem because when I change the allowed ips to 0.0.0.0/0, all my LAN clients start failing DNS queries. I'm nowhere near getting a handle on the problem.

[cookiemonster]

Anyone ?

[chemlud]

You are an experienced user, what's your educated guess for the chances that the next post reads: "Update to latest and then try again"?

[cookiemonster]

thanks for the input chemlud. I am due to travel abroad for over a week in the next few days so I would like to fix this instead of dealing with more and bigger changes with a new OS version. Actually this is the reason I want to be able to reach my LAN for when I am away in case of need.

[chemlud]

I reach my remote nets via WG, without any 0.0.0.0 involved... ;-)

[cookiemonster]

And I also have another client without the 0.0.0.0 that can reach the LAN. Hence I fail to see why the other doesn't nor can make this change. For anyone thinking of helping, here is my OPN wg config:

Code Select Expand

/usr/local/etc/wireguard/wg1.conf
####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  10.0.0.1/24
# DNS = 192.168.5.1
# MTU =
# disableroutes = 0
# gateway =

[Interface]
PrivateKey = {privatekey}
ListenPort = 51820

[Peer]
# friendly_name = mobile-8T-MN
PublicKey = {publickey1}

AllowedIPs = 10.0.0.2/32

[Peer]
# friendly_name = pluto
PublicKey = {publickey2}

AllowedIPs = 10.0.0.3/32

[Peer]
# friendly_name = saturn
PublicKey = {publickey3}

AllowedIPs = 10.0.0.4/32
The peer mobile-8T-MN can connect to OPN via wg and reach the LAN on 192.168.5.0/24 but the peer saturn can't and is the one I've been trying to add or change to 0.0.0.0/0 as a way to fix but I get that error.

Anyone with a thought of what I could try or where to look for a misconfiguration?

[tiermutter]

Did you add 0.0.0.0/0 in OPNsense peer config (allowed IPs) ?
This must go into client config (allowed IPs) since on server side this is the IP assigned to the client.

[tiermutter]

In other words...

SERVER SIDE:
[Peer]
AllowedIPs = IP assigned to VPN client

CLIENT SIDE:
[Peer]
AllowedIPs = IPs to be routed via VPN


For some OS you should not use 0.0.0.0/0 but 0.0.0.0/1, 128.0.0.0/1

[cookiemonster]

Did you add 0.0.0.0/0 in OPNsense peer config (allowed IPs) ?
This must go into client config (allowed IPs) since on server side this is the IP assigned to the client.

Well I did a little while ago again about 2 hrs ago. No errors in the wg log but when I came back to my next work call, the laptop was unable to get online. I had to stop wg and all was good again.
First how they're configured, then when changed to 0.0.0.0. This breaks my DNS on LAN it seems. No idea why. Happy for any ideas what to look for.

[Patrick M. Hausen]

You must not put 0.0.0.0/0 into the peer's allowed IPs on the OPNsense side. That installs a route for 0.0.0.0/0 down the wireguard interface.

On the OPNsense side put only the tunnel address of the "client" with /32 in the allowed IPs field.

[cookiemonster]

Ok so that's how it is set Patrick. How do I then make this client/peer be able to reach the LAN ?

[Patrick M. Hausen]

On the client you configure 0.0.0.0/0 in allowed IPs.

That means the client will send everything through the tunnel.

Or, if you only want to reach the LAN while keeping Internet access local to wherever the client is, just add your LAN network and appropriate prefix length (/24?) in allowed IPs in the client.

Then all you need is a firewall rule on the wireguard interface or group permitting the client in.

[cookiemonster]

> On the client you configure 0.0.0.0/0 in allowed IPs.
that's been set already client side.

>Then all you need is a firewall rule on the wireguard interface or group permitting the client in.
This is what might be missing but I have a blanket one for the whole wg net (please see pic):
Do I still need to create a per-client rule?

[cookiemonster]

Plus currently-disabled LAN rule:

[Patrick M. Hausen]

Looks good. For "WG net" to work - what is the tunnel address on the server/OPNsense side and what is the peer allowed IP (with /32) set to? The peer allowed IP matches the tunnel address on the client, right?