Wireguard - Trouble to make it works with OPNsense - OK for others

[anktarius]

Hi folks,

I am banging my head for a while now, i am just trying to connect OPNsense to my wireguard (wg-easy) hosted on a VPS.

Using my phone or laptop i can connect directly without any issue. On the phone i am using the QRcode generated, on the laptop just downloading and using the conf file. All good.
Trying to configure on OPNsense for a while and it never works so obviously i am doing something wrong on OPNsense side.

Here is the config file :

Code Select Expand

[Interface]
PrivateKey = 0C0oDOLxvdvIHlnlos1xpgjEPFBofaLIYBsqHYXn2Ew=
Address = 10.8.0.4/24
DNS = 1.1.1.1

[Peer]
PublicKey = wu72D8TBjwjT8m71o4tvIKTxLg8mWTriNcSv11lNYlA=
PresharedKey = dUZ0fOiF1pE+sUbt41Qr2lGCDUEb3LdqrhyKAUyQRdY=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = x.x.x.x:51920
Here is what i did on Opnsense :
You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.

I have no idea about what i am doing wrong and the logs are not very verbose here.
Does someone have an idea about my issue ?

Thank you.
Regards.

[meyergru]

Allowed IPs = 0.0.0.0/24? You see the problem?

[anktarius]

Allowed IPs = 0.0.0.0/24? You see the problem?

Whooo, thank you that was a big one ..

You cannot view this attachment.

After fixing this issue, i still have the same behavior.
Thank you

[meyergru]

Is the public key and the listen port of the instance really blank? In which direction do you want the connection to happen?

If inbound: You need a firewall rule to allow access to your endpoint port.

Also, IDK if a connection is created without an outbound packet if the keepalive interval is not specified. I always do that...

[anktarius]

I want to have OPNsense acting as "a client". The connection should be initiated from the firewall to the VPS.
- Yes the listen port is blank, i tried to set it manually to 51820 or 51920 but that is not changing anything which i think is normal as this is initiated from the firewall itself so it will pick a random port. (Like my phone did)
- Yes public key field is blank as it was not part of the config file, i think it is auto-generated using the privatekey but just in case i copy/paste the public key generated from my wireguard android client (which is the same as the windows client), same result.
- I can't generate traffic as the tunnel is not even going up, based on your comment i tried to create a gateway monitoring but not possible as i am not receiving IP because the tunnel is not up.
- On the rules side it should be ok ; I assigned the interface wg0, created a permit * rule on it.

Thank you

[anktarius]

Hello,

So after trying and trying to understand why it is not working on OPNsense, i think i found something.

If i do a tcpdump on the port 51920 (WG configured port) on my VPS, i see nothing, even when restarting on OPNsense nothing is happening on VPS.
If i connect my phone directly i can see traffic on tcpdump.

Result ;
For some reason no traffic is send from OPNsense to my VPS.


Status ;
Trying to understand why the wireguard traffic from OPNsense (Firewall itself) is not able to reach the VPS.

Test ;
Using Interfaces -> Diagnostics -> Ping
Ping is ok to my VPS.
I can confirm that the default gateway is ;
ipv4   default   192.168.1.254   UGS   NaN   1500   igc0   WAN
So the zone to look at is the WAN.
In term of rules, normally everything is open but as it is from the firewall itself i have to say that i don't really know how to troubleshoot this properly.

[meyergru]

You can test you OpnSense internet connection via System: Firmware -> Connectivity Audit or via CLI.

But how can your WAN gateway be a non-routeable IP? Is there an ISP router in front of your OpnSense? Even if there is, you either have internet access or you don't. One thing I can imagine is that only IPv6 works from your LAN and IPv4 is broken by the defunct gateway.