OPNSense behind router - cannot establish wireguard connection

Started by relief-melone, July 10, 2024, 02:38:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2024, 02:38:59 PM
Hey I am currently testing out some things with opnsense because I want to replace most of/all of my router with it. But for testing this is my current setup

https://imgur.com/a/SEaUkgX


I forwarded the 51820 udp port of my router to the 192.168.100.20 which is the opnsense wan interface. Now I have been reading through the docs and watched some wireguard tutorials. But I cannot get a connection. This is my configuration

I have set up wireguard with one instance.

listen port: 51820
tunnel address: 10.100.200.1/24
peers:
- name: mobile test
  allowedIPs: 10.100.200.205/32
  publicKey: <my-mobile-clients-pub-key>

On my mobile device I

interface
addresses:
- 10.100.200.205/32
peers:
- pubKey: <servers-pub-key>
  allowedIPs: 192.168.100.0/24
  Enpoint: <routers-pub-ip>:51820

However I do not see a handshake or any incoming traffic. The WireGuard app on Android tell me its connected but I guess that is bogus because even if I change around the port it still tells me it was connected without the port even being open on the router. Is there anything I can check that would narrow down where I went wrong?
July 10, 2024, 02:46:50 PM #1
Quote from: relief-melone on July 10, 2024, 02:38:59 PM
I forwarded the 51820 udp port of my router to the 192.168.100.20 which is the opnsense wan interface.

...

listen port: 51820
tunnel address: 10.100.200.1/24


How could that work? From the perspective of your OpnSense, it is itself the Wireguard endpoint.

And beside that:

Quote from: relief-melone on July 10, 2024, 02:38:59 PM
peers:
- name: mobile test
  allowedIPs: 10.100.200.205/32
  publicKey: <my-mobile-clients-pub-key>

On my mobile device I

interface
addresses:
- 10.100.200.205/32
peers:
- pubKey: <servers-pub-key>
  allowedIPs: 192.168.100.0/24
  Enpoint: <routers-pub-ip>:51820


You configure the wireguard transfer network to be the same as your internal network? How do you expect routing to work between two identical IP ranges?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
July 10, 2024, 03:07:16 PM #2
I intend opnsense to be the endpoint so. The purpose of this test is to access my local network from my mobile phone from outside. I guess there is something here that I'm not getting correctly though :/

The transport network and allowedIPs do not overlap though. Transport is 10.100.0.0/17 so it ends at 10.100.127.255
July 10, 2024, 03:39:12 PM #3
Quote from: relief-melone on July 10, 2024, 03:07:16 PM
Transport is 10.100.0.0/17
Why do you use 17. Is it your age?
July 10, 2024, 03:50:09 PM #4
because it leaves room in the 10.100.x.x for other stuff like the vpn subnets for example
July 12, 2024, 02:04:50 PM #5
Turns out the solution was pretty simple. While I had the correct in and out rules on the wireguard group I was missing the incoming udp rule on the WAN interface. After that one was added in everything worked like it was supposed to.
Print
Go Up Pages1
User actions