Wireguard in opnsense

[mimugmail]

Have you applied the single patch after installing the plugin?
It looks good, no idea why the packets get blocked ...

[rantwolf]

Yes, patch is applied.

[mimugmail]

Hm, I can only offer to have a look via Teamviewer since WireGuard is very new technology I'm not very experienced with it.

[MrB]

Took a stab at testing this tonight with somewhat mixed results, it looks like I get the tunnel up but can't get to the outside from LAN

My normal setup is a OpenVPN (client) connection to a VPN provider and all LAN traffic is routed through this (Outbound NAT rules). So I disabled the OpenVPN client & outbound NAT rules and added Google's DNS server instead of the VPN provider one. Also tested that everything still works at this point.

Installed Wireguard & the patch and proceeded with the Server/Endpoint setup -> Enable. I'm guessing this is the point when wg0.conf is created in /usr/local/etc/wireguard. I can generate a config file with the needed keypairs on the VPN providers website so went ahead and did that. Tested that the config works on my laptop before I copied the contents and pasted them into the .conf file. 

Code: [Select]

[Interface]
PrivateKey = ########################################
Address = ip-supplied-by-vpn-provider/32,aaaa:bbbb:cccc:dddd::1234/128
DNS = vpn-provider-dns-address

[Peer]
PublicKey = ########################################
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = vpn-providers-server:51820

Added a firewall rule for port 51820 and restarted the Wireguard service, the interface came up and saw some outbound packets on the wg0 interface as well so I assume the tunnel is working, but couldn't reach any sites from the LAN side. Ping requests and trace routes all time out, ie. stop at the OPNsense box, but looking at the firewall log live view nothing is blocked. From what I read AllowedIPs = 0.0.0.0/0,::0/0 should allow any address, also tried with my local subnet but the result was the same.

In a desperate attempt to get it working I tried assigning wg0 to a new interface (although I read on the previous page it shouldn't be done) and replicated the outging NAT rules from my OpenVPN setup, but alas to no avail.

Any pointers what I should be looking at next in order to get it working?
 

[mimugmail]

I havent tested default route via WireGuad yet, I'll try to reproduce.
Assigning tun interfaces is a bit complicated but there is some progress in core right now.

[nfugal]

I'm trying to test out WireGuard too.

I can't seem to get my setup to generate the keys. After saving I still get the results in the attached screenshot.

Any ideas what I'm missing?

[mimugmail]

Can you delete the instance and create a new one? This shouldn't happen at all ..

[nfugal]

I've tried delete and recreate several times with no success.

Are there any logs or anything that might help?

[mimugmail]

Via console

clog /var/log/system.log
clog /var/log/configd.log


You can also PM me and I'll have a short look via Teamviewer

[mimugmail]

Uhm .. you are the guy with the broken configd daemon? I think your system has some more bigger problems and that's why it doesn't work

[nfugal]

I am indeed that guy.

Getting the configd service to work seems to have fixed the WireGuard issue. I am getting keys generated just fine now.

[mimugmail]

Hi.
Here are the screenshots:

Site-A:
https://ibb.co/kPWzv9
https://ibb.co/hizKv9
firewall-rules:
Interface: https://ibb.co/n1tONp
WAN: https://ibb.co/iKf3Np


Site-B:
https://ibb.co/jGrchp
https://ibb.co/kv76a9
firewall-rules:
Interface: https://ibb.co/nuxiNp
WAN: https://ibb.co/cAv3Np

If I ping from Site-B to Site-A
I get this in firewall-logs on Site-A:
https://ibb.co/fo1A2p

Ok, found the error, try to fix it the next days.

[mimugmail]

On Thursday hopefully we got also 0.3 devel where everything is fixed, also pushing default gateway via WireGuard works pretty fine.

[abalsam]

Sounds great as I am also having issues connecting to the wireguard.com test connection and the azirev configurations.  Also, please update the howto to include instructions on how to connect to VPN servers/providers.

Thanks

[csmall]

I have a connection to the Wireguard instance from Android.

No traffic is flowing and I also do not see a new interface in firewall rules for wireguard.

How can I get the traffic to flow and allow for access to my LAN over wireguard?