Wireguard - Can't get it to connect

[PotatoCarl]

Hi
I try to get Wireguard running with a few clients (currently I run mostly on OpenVPN and IPSec, both are working fine, smoothly and easy to setup). I followed

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

In multiple attempts, religiously so far. With variations that are due to my setup. However, I always get the message "handshake timed out" at the client after 5 sec when trying to connect.

On server side I do not get any messages, assuming that the client is somehow not reaching the right endpoint.

To make things a bit more spicy, I have for technical reasons (thank you DEUTSCHE TELEKOM) to run two Fritz!Boxes as endpoints in my network for two DSL lines. Both make the connection but forward everything to the OPNSENSE Firewall on two different ports (input ports).

So, basically:

- The firewall is in two different non-routing networks (192.168.178.0/24 and 192.168.179.0/24), while the Fritz!boxes have fixed external IP Adresses

I have setup accoring to the example an nistance on port 51820 and a tunnel address of 192.168.22.0/24.
Then I have setup a peer with the same public key as the instance and a preshared key. Allowed IP is one single (192.168.22.100/32). Endpoint is the public IP of one of the Fritz!Boxes, port 51820. The Instance to use the (only) instance I have generated.

I then went to the peer generator and generated a configuartion that I imported in a client (S7FE Tablet, wireguard software).

I am now unable to connect from there, but also I no idea what the problem might be.

I also included in the Firewall settings on each of the WANS a route for the UDP port:

    IPv4 UDP    *    *    WAN1DSL Adresse    51820    *    *       Wiregard Inbound WAN1DSL

I am utterly confused and run into walls here. What am I doing wrong?

Amazing as everybody says "Wireguard is the easiest to setup" and I spent more time trying to get it to work than a number of IPSEC and OPENVPN setups together.

For some reasons I want to be able to use Wireguard additionally to the OpenVPN Roadwarrier configurations for some clients, but I am totally failing at it. Please help!

Merry Christmas!

[terry274]

I can't help you other than to say I am experiencing the same scenario. I am connected to AT&T fiber and have setup Wireguard using multiple howto's. All my configurations end with a failure to complete the handshake. My Opnsense does not show any firewall rejections. My Wireguard log only shows the instance started. No indication anywhere of what is failing as far as I can see.
Also, I am successfully using OpenVPN with the same equipment that is failing to work with Wireguard.
I will be watching this thread.

[Bob.Dig]

Then I have setup a peer with the same public key as the instance

That is not correct, both peers have to have their own key-pairs.

[gunnarf]

I had a hard time to get it working, until I started using the "peer generator" By using that, and let the clients read the generated QR-code. The everything works nicely

[dseven]

Start with a packet capture for UDP port 51820 on the WAN interface of OPNsense when attempting to connect. If you see incoming packets, the problem is in OPNsense somewhere. If you don't, the problem is in your FRITZ!Boxes, or beyond.

BTW, your tunnel address should be a host, not a network address, so you probably want 192.168.22.1/24 there, but I don't think that's your (only) issue...

[Noci]

Public/private keys should be unique to each device communicating using a single wireguard instance.. (You can have mulitple instances aka wg interfaces).
The Public/private key is  the identifier for a configuration.

The tunnel endpoint (server side) should be a known address, also .0 (the Me address on a network) should not be used as an address.

After this start an endpoint and see if traffic arrives on the firewall. and go from there.