OPNSense behind router - cannot establish wireguard connection

[relief-melone]

Hey I am currently testing out some things with opnsense because I want to replace most of/all of my router with it. But for testing this is my current setup

https://imgur.com/a/SEaUkgX


I forwarded the 51820 udp port of my router to the 192.168.100.20 which is the opnsense wan interface. Now I have been reading through the docs and watched some wireguard tutorials. But I cannot get a connection. This is my configuration

I have set up wireguard with one instance.

listen port: 51820
tunnel address: 10.100.200.1/24
peers:
- name: mobile test
  allowedIPs: 10.100.200.205/32
  publicKey: <my-mobile-clients-pub-key>

On my mobile device I

interface
addresses:
- 10.100.200.205/32
peers:
- pubKey: <servers-pub-key>
  allowedIPs: 192.168.100.0/24
  Enpoint: <routers-pub-ip>:51820

However I do not see a handshake or any incoming traffic. The WireGuard app on Android tell me its connected but I guess that is bogus because even if I change around the port it still tells me it was connected without the port even being open on the router. Is there anything I can check that would narrow down where I went wrong?

[meyergru]

I forwarded the 51820 udp port of my router to the 192.168.100.20 which is the opnsense wan interface.

...

listen port: 51820
tunnel address: 10.100.200.1/24

How could that work? From the perspective of your OpnSense, it is itself the Wireguard endpoint.

And beside that:

peers:
- name: mobile test
  allowedIPs: 10.100.200.205/32
  publicKey: <my-mobile-clients-pub-key>

On my mobile device I

interface
addresses:
- 10.100.200.205/32
peers:
- pubKey: <servers-pub-key>
  allowedIPs: 192.168.100.0/24
  Enpoint: <routers-pub-ip>:51820

You configure the wireguard transfer network to be the same as your internal network? How do you expect routing to work between two identical IP ranges?

[relief-melone]

I intend opnsense to be the endpoint so. The purpose of this test is to access my local network from my mobile phone from outside. I guess there is something here that I'm not getting correctly though :/

The transport network and allowedIPs do not overlap though. Transport is 10.100.0.0/17 so it ends at 10.100.127.255

[Bob.Dig]

Transport is 10.100.0.0/17

Why do you use 17. Is it your age?

[relief-melone]

because it leaves room in the 10.100.x.x for other stuff like the vpn subnets for example

[relief-melone]

Turns out the solution was pretty simple. While I had the correct in and out rules on the wireguard group I was missing the incoming udp rule on the WAN interface. After that one was added in everything worked like it was supposed to.