Wireguard VPN - No Internet

[gandizzle91]

Hello everyone,

I've already followed several tutorials explaining how to set up a VPN in my home network. Unfortunately, none of them have worked so far, and I'm slowly starting to get frustrated. I do have a suspicion about what might be causing the issue.

I'm using a FritzBox as my router/modem and configured OPNsense as an exposed host. As a result, my WAN IP on OPNsense is an internal IP address from the FritzBox.

My Opnsense is an exposed Host in my FritzBox.

So i can connect via my iphone to the opnsense but i dont get Internet on my iphone i also can see it in the firewall Logs. Additonal here are some screenshots from the configs. Maybe someone can help me.

[vimage22]

At the very least, you need "Endpoint" and "Name" filled in with a value. Also, once the peer is created, I think you have to re-enter "Endpoint Address" and "Endpoint Port" on the Peers config name.

[Patrick M. Hausen]

On the OPNsense side only the IP address of the system connection goes into "AllowedIPs". On the remote system "0.0.0.0/0" goes into "AllowedIPs" to establish a default route into the tunnel.

[gandizzle91]

@Patrick M. Hausen What do you mean by " only the IP address of the system connection goes into "AllowedIPs" ? The Adress of the Firewall itself ? So the lokal IP Adress? Or do you mean my public IP ?

@vimage22 Are you sure? In the tutoral they said that those fields must be blank in the Peer Gererator. Only when you create a manuel peer you should put these information in

[Patrick M. Hausen]

The tunnel address you assign to the "road warrior" device "dialing in".

[vimage22]

So under your Peer Generator, "Name" is only a friendly name that will show up under the Peers tab, once created.
And again under Peer Generator, I am not sure about "Endpoint".
First, I did set a value there, but it seems to be removed once the peer is generated. So I had to re-enter it on the peer.
Next, the docs do say to leave it blank, but it did not make sense to me.

A few years ago, before the amazing Generator, I had wg working with many peers. Over the last few days, I found I could really use wg again, starting with my android cell. Here is more info, in case it helps you or others.

for reference, my LAN = 10.1.1.0/24 and DHCPv6 (kea)
Subnet: 2601:xx:xx:xx::/64
Pool: 2601:xx:xx:xx::/120  (256 addresses)

Instance:
Name: WGServer
Tunnel address: 10.10.1.1/24  and  2601:xx:xx:xx::100/120

Peer:
Name: Cell_Phone
Endpoint address and Port: x.mywire.org:51820
Allowed IPs: 10.10.1.3/32  and  2601:xx:xx:xx::102/128
[trying to make this dual stack where only traffic needed to LAN passes.]

Interfaces: [wg0] = true
Firewall: Rules: WAN = WG_FW_Rule (v4+v6)
Firewall: Rules: wg0 = WG0_Router_Rule (v4+v6)
Firewall: Settings: Normalization = Wireguard MSS Clamping IPv6

In Generator, before clicking save, and after confirming the QR is scanned on the cell, right click and save the QR image, in case you need it down the road.
Then, when I tried activation on the cell, nothing happened. Under Firewall: Log Files: Live View, zero activity. After many hours, I finally set a value in "Keepalive interval", and it worked! My guess is it will not establish the tunnel until there is a specific need for it.

Open issues:
Re-enter Endpoint Address and port seems like a bug. I would expect it to transfer from the Generator.
Strange behavior under VPN: WireGuard: Status.
I would think it should be "x.mywire.org:51820", but initially it is resolved to the public IPv6 address, by Unbound I think. Then after the peer connects, it shows the public IPv4 address. Not sure why it needs to do this.

Finally, IPv4 works. Confirmed with 'wg show all' and with 'ping 10.10.1.3'. But cannot seem to get IPv6 to work, at all. Any advice appreciated.

[knebb]

Hi,

I guess I have the same issue here. My Wireguard clients connect fine to my OPNSense VPN. They can easily do everything with the hosts on the remote LAN. So Wireguard --> LAN is fine.

But as soon as those clients (happens on a Mac as well as on an iPad) have established the VPN connection they do not have access to the Internet.

I guess there is a rule missing but I do not know which rule I have to add. I have allowed all traffic in the Wireguard interface to everywhere. But no good.

So which rule on which interface do I have to add? Might this be related to outgoing NAT? I set it to fully automated...

Anyone a hint for me (and the OP I assume)?

Thanks!

/KNEBB

[Patrick M. Hausen]

Automated NAT won't work. Set it to hybrid and add a rule on the WAN interface to NAT anything with source "WG net" to "WAN address".

[vimage22]

I finally got this to work and so happy. Dual stack on IPv4 and IPv6 work. I think the major change was, instead of using the dynamic IPv6 provided by the ISP, I broke down and used a:
Unique Local IPv6 Generator

It returned:
fdxx:xxxx:xxxx::/48  ( x= masked, but if this is ULA, do I need to mask it? )

For "Instance", set Tunnel address =
10.10.1.1/24  (different than LAN)
fdxx:xxxx:xxxx::1/64  (unique to LAN/WAN)

In config on Peer GENERATOR:

Allowed IPs:
x.x.x.x/24 (LAN)
10.10.1.1/24 (WG)
fdxx:xxxx:xxxx::/64
2601:x:x:x::/64 (dynamic prefix form ISP)

Address
10.10.1.3/32
fdxx:xxxx:xxxx::2/128

DNS:
[IPv4 LAN DNS address], fdxx:xxxx:xxxx::1

NOTE:
On edit "Peer", not "Peer GENERATOR", change label name from "Allowed IPs" to "Address", or "Allowed Peer Address". It is hard to imagine that no one else has noticed this.

Performance, as expected, speed is amazing over IPv6:
ping v4 - max = 309 ms
     v6 - max = 109 ms
3x faster... using "Ping & Net" (android)

Open question:
If the ISP changes my ip, what file could I modify via a bash script to update 2601:x:x:x::?