[SOLVED]Wireguard Handshake timeout Roadwarrior setup

Started by Terminal, July 12, 2024, 09:29:52 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 12, 2024, 09:29:52 PM Last Edit: July 18, 2024, 01:41:00 AM by Terminal
I had the road warrior instructions working for my first Internet provider but after I switched, I cannot get the phone to connect.  I have tore down and rebuilt numerous times with not luck.  I tried re-connecting the first internet provider and re-configuring wireguard to match the original config but that is no longer working.  I have attached my current settings.  I have used the WG0 net for the source and as shown in the attachments, I have tried using the actual wireguard subnet.  The status page for wireguard never shows the handshake and looking at the WG0 traffic, it doesn't look like there is anything happening there either.
July 13, 2024, 12:34:41 AM #1
Side note, edrop has been merged with drop.


The config looks fine.

What IP do you have on the WAN and how do you access the WAN ?

If you have a public IP on the WAN then try changing the port WG is listening on.
July 13, 2024, 03:11:19 AM #2
It is a public IP.  OPNsense is the router directly connected to the ONT.  I have tried 51820 and 51821.  Is there a different port range that I should try?
July 13, 2024, 06:20:18 AM #3
I'm thinking something is defunct with the WAN side firewall.  I tried creating a ICMP rule for incoming pings that would ping the WAN IP and Source set to any, and could not ping.  I also could not see the ping requests coming in using tcpdump but I have never tried using it on a firewall.  It would make sense that the traffic would hit the firewall first before making it to the scanner. Is there some way to flush and rebuild the firewall portion? Maybe there is some bad db entry causing it to hang up on the incoming connections? 
July 13, 2024, 06:25:05 AM #4
The answer heavily depends on whatever the ISP is filtering or not.

Check the IP of the phone on ipchicken.com or ifconfig.co, then go to FW Live view and filter for wan traffic on the port you're testing.

BTW, changing the port needs to be done on the phone and on the firewall -- both in the WAN rules and WG config.
July 13, 2024, 11:15:30 AM #5
Looks to me your ISP is filtering the traffic.

When you ping your WAN IP (Public IP) or use a port scanner from Internet, you should see it hits the FW and Blocks all (if not explicitly allowed). This is visible in Live view.

Additionally, a lot of Internet providers and other actors constantly scan Internet for Open ports, those should be visible as well on Ingress of WAN as blocked.

If you don't see anything blocked on the Ingress on WAN most likely your ISP is filtering the traffic. You should contact them and ask about this.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
July 13, 2024, 11:33:39 AM #6
Do you have something in your wireguard logs on opnsense side ?

Since upgrade to 24.1.10, I can no longer connect to wireguard - fortunatelay, I have a zerotier vpn as an alternative


Code Select

2024-07-11T21:37:52 Notice wireguard wireguard instance CabinetRoadWg (wg0) started
2024-07-11T21:37:52 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt2'
2024-07-11T21:37:51 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '192.168.7.0/24' -interface 'wg0'' returned exit code '1', the output was ''
2024-07-11T21:37:51 Notice wireguard wireguard instance CabinetRoadWg (wg0) can not reconfigure without stopping it first.


Do you also have it ?
July 13, 2024, 05:13:28 PM #7
Newsense, Yes I changed the port on the wan firewall rule, the instance, and phone app.

Seimus,  according to there online FAQ they do not block ports but have not reached out to ask.  The reason being is I tried my original ISP that was known working before I switched and I am having the same results.  The phone IP never makes it to the live logs when I filter against its IP or against incoming connections. I have not tried filtering against blocked connections.  I will give that a shot. 
"Additionally, a lot of Internet providers and other actors constantly scan Internet for Open ports, those should be visible as well on Ingress of WAN as blocked." So even though the ISP would be blocking that traffic, I would still see it show up in live view as blocked? or do I need to see that in a different part of OPNsense? I could run NTOP from another IP and see if the port is open but I have a good feeling on what I would see since ping isn't working. I will try connecting a laptop directly to the ONT and see if ping works.

nsteinmetz - the wireguard logs are only reporting that the instance is up but no connection logs.I have not tried zerotier or openvpn on OPNsense.  I really like the way wireguard worked.  It connects fast and maintains a solid connection and is much faster the openvpn.  Haven't tried zerotier to compare it against.
July 13, 2024, 06:20:41 PM #8
After further investigation, my case seems more focused on one device than with wireguard - I tested on another device and it works well. So no relation with your case - sorry for the noise
July 13, 2024, 07:55:39 PM #9
Those lyin dogs.  They tell me that they do not block ports just to find out they use CGnat.  I'm not real familiar with how CGnat works.  I see people talking about having to use a VPS to make it work but I'm wondering at this point, is having to deal with cgnat worth it over keeping my cable?  I was switching because they are currently over subscribed but with the new fiber folks in town, that likely will not be a problem for long. Fiber has synchronous speeds that are nice as well. Can I get around this issue without having to pay for another service?
July 14, 2024, 02:14:00 AM #10
Quote"Additionally, a lot of Internet providers and other actors constantly scan Internet for Open ports, those should be visible as well on Ingress of WAN as blocked."
So even though the ISP would be blocking that traffic, I would still see it show up in live view as blocked? or do I need to see that in a different part of OPNsense?

No you would not. If somebody is blocking or filtering front of you it will not hit your Device/FW.

QuoteThose lying dogs.  They tell me that they do not block ports just to find out they use CGnat.  I'm not real familiar with how CGnat works.  I see people talking about having to use a VPS to make it work but I'm wondering at this point, is having to deal with cgnat worth it over keeping my cable?  I was switching because they are currently over subscribed but with the new fiber folks in town, that likely will not be a problem for long. Fiber has synchronous speeds that are nice as well. Can I get around this issue without having to pay for another service?

There is your answer indeed CGNAT ;)
CGNAT is a bother, pain in the ass if I may say it.

If you want to keep your current ISP and have WG, there are 3 possibilities you may try:
1. VPS
2. Ask your ISP if they are able to provide public static IP
3. Check if your ISP can give out IPv6 IP to you and create WG on IPv6

You can as well as you already did search for topic about VPN and CGNAT on the forum, how did people differently approach it. But CGNAT is a bother.

Regards,
S.

Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
July 15, 2024, 01:26:44 AM #11
There's one more option actually:

4) ZeroTier/Tailscale
July 15, 2024, 01:34:15 AM #12
True, in my mind Zerotier/Tailscale falls kinda bit under VPS (even if thats not fully true).

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
July 16, 2024, 06:09:44 AM #13
Thanks for all the suggestions.  Getting them to give me a static is turning out to be more difficult then I imagined.  They want me to sign up for a biz account and pay 3x the price of residential.  Thats out.  I can't even get them to talk to me about IPV6.  I'm really surprised how fluent people here are with it.  It is hardly mentioned in my neck of the woods. I know when I went tube surfing on the subject, the details always seemed to be missing.  Anyone know of a good tutorial on it?  I have done a bit more digging on how the VPS would work. It is certainly a possibility if I can find one for a decent price..  How does Zerotier get around NAT?
July 16, 2024, 10:07:48 AM #14
Zerotier/Tailscale work like this in very simple terms. You as a Client establish a session, that session is over WG, towards their network Hypervisor/controller. This Hypervisor/controller gives each node connected a unique specific ID. Basically its like you get n Public IP from this provider but routing is done based on internal IDs.

You can read in more detail >
https://docs.zerotier.com/protocol

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1 2
User actions