WireGuard Road Warrior setup won't work after changing LAN subnet

Started by bwbuhse, December 14, 2024, 01:46:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 14, 2024, 01:46:21 AM Last Edit: December 14, 2024, 01:50:52 AM by bwbuhse
Hi, earlier today I change my LAN subnet from 192.168.1.0/24 to 10.124.15.0/24, ironically, mostly in an attempt to make my road warrior set up work better since 192.168.1.0/24 is fairly common residentially. I also decided to change my VPN from 192.168.100.0/24 to 10.124.16.0/24 just to match. However, now I'm completely unable to connect to the WireGuard instance from either my phone or laptop. I went ahead and fully re-created my setup following the guide but I'm still having the issue. I'd love if someone can help me figure out what's wrong.

December 14, 2024, 01:51:30 AM #1
I don't know how to provide the rest of the config with the limit on attachments :(
December 14, 2024, 08:55:35 AM #2
In a second post.

Did you specify the new subnet as "allowed adresses" in the peer settings of the WG client? Are the routes changed?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
December 14, 2024, 07:50:54 PM #3 Last Edit: December 14, 2024, 07:53:52 PM by bwbuhse
> Did you specify the new subnet as "allowed adresses" in the peer settings of the WG client?

Yeah, on the clients I just have 0.0.0.0/0 and ::/0 as the Allowed IPs for the peer.

And my bad, I didn't realize there was an option other than the "Quick reply" so I didn't see you could add more attachments.
December 14, 2024, 07:54:25 PM #4
And the rest of my VPN config on OPNSense
December 15, 2024, 01:49:32 AM #5
The interface shows these routes:

10.124.16.0/24
10.124.16.2
10.124.16.3
2605:a601:a098:xxxx::/64
2605:a601:a098:xxxx::1
2605:a601:a098:xxxx::2
December 23, 2024, 02:23:13 PM #6
I figured this out! I think it was a combination of two things.

First, at some point since I'd last used the VPN, I guess I'd added a AAAA record to the domain my Wireguard endpoint was CNAMEd to... however the AAAA is the IPv6 address of my server, not my OPNsense box. Creating new A/AAAA records pointing directly to OPNsense instead of the CNAME seems to have fixed it.

I think another issue, which made some of my problems intermittent, was that I was trying to do Outbound NAT on the Wireguard IPv6 network, but I didn't even have an IPv6 address on my OPNsense's WAN interface. Adding that seems to have fixed it (but I don't really need the IPv6 NAT, so I disabled that).
Print
Go Up Pages1
User actions