Wireguard RW setup - Handshake not completed

[ThomasE]

We're using an OPNsense 24.4.1_3-amd64 and are trying to set up a wireguard instance for road warrior use base on the documentation found here:

https://docs.opnsense.org/manual/vpnet.html#wireguard

Our instance configuration is as follows:

Name: WireguardTest
Public Key: *****
Private Key: *****
Listening Port: 51820
MTU: (empty)
DNS Servers: (empty)
Tunnel Address: 192.168.3.254/24
Disable routes: (not set)
Gateway: (empty)

This is my peer configuration:

Active: Yes
Name: test
Public Key: *****
Pre-shared key: (empty)
Allowed IPs: 192.168.3.2/24
Endpoint address: (empty)
Entpoint port: (empty)
Instances: WireguardTest

Peers are created using the peer generator.

An interface was assigned as described in Step 4(a).

An outbound NAT rule as described in Step 4(b) already exists.

There is an inbound firewall rule to allow traffic coming in on the WAN interface (UDP port 51820) to one of our external IPs on that interface. (We have a whole class C network there.) Logging is enabled.

We also created a rule on the interface created in step 4(a) allowing any traffic from the "WireguardTest net" to any.

Finally, there's the normalisation rule as described in Step 5a.

When trying to create the tunnel from the client, I get the following messages there:

Code Select Expand

07-24 15:10:47.935 23386 23422 D WireGuard/GoBackend/Test: peer(EaEn...+T2k) - Sending handshake initiation
07-24 15:10:47.941 23386 23965 D WireGuard/GoBackend/Test: peer(EaEn...+T2k) - Handshake did not complete after 5 seconds, retrying (try 2)
07-24 15:10:49.558 23386 23386 I wm_on_restart_called: [71172480,com.wireguard.android.activity.LogViewerActivity,performRestart,0]
07-24 15:10:49.558 23386 23386 I wm_on_start_called: [71172480,com.wireguard.android.activity.LogViewerActivity,handleStartActivity,1]
07-24 15:10:49.559 23386 23386 I wm_on_resume_called: [71172480,com.wireguard.android.activity.LogViewerActivity,RESUME_ACTIVITY,0]
07-24 15:10:49.559 23386 23386 I wm_on_top_resumed_gained_called: [71172480,com.wireguard.android.activity.LogViewerActivity,topWhenResuming]
07-24 15:10:49.587 23386 23386 I viewroot_draw_event: [VRI[LogViewerActivity],Start draw after previous draw not visible]
07-24 15:10:49.596 23386 23386 I viewroot_draw_event: [VRI[LogViewerActivity],reportDrawFinished seqId=0]
07-24 15:10:49.608 23386 23386 I viewroot_draw_event: [VRI[LogViewerActivity],reportDrawFinished seqId=0]
07-24 15:10:53.143 23386 23541 D WireGuard/GoBackend/Test: peer(EaEn...+T2k) - Handshake did not complete after 5 seconds, retrying (try 2)
07-24 15:10:53.143 23386 23541 D WireGuard/GoBackend/Test: peer(EaEn...+T2k) - Sending handshake initiation

I can see one incoming UDP package (per connection attempt) headed for the external IP on port 51820, which is allowed to pass.

Any suggestions would be appreciated...