Closed enoch85 closed 7 months ago
chaijunkin
commented
7 months ago perhaps config error? I try to enable wireguard on opnsense. Initially, I had the same issue.
After troubleshoot a bit, enable wireguard itself doesn't cause issue, it was the peer config that allowed 0.0.0.0/0 causing issue. Check out https://homenetworkguy.com/how-to/configure-wireguard-opnsense/#optional-add-firewall-rules-to-access-internal-networksdevices and official docs for more guidance.
enoch85
commented
7 months ago @chaijunkin Thanks, but I can't find anything on that subject in the post you linked. Do you mean this?
Because I actually do want to route all traffic trough WG, as I want to use my own Unbound DNS with DoT and so on.
So I'm using 10.0.0.1/24 for Tunnel (on the instance), and that's a single VLAN that doesn't collides with any ither VLAN. And I'm using 0.0.0.0/0 on the client side for above reasons. Is that wrong?
chaijunkin
commented
7 months ago I have the exact same setup with Unbound DoT.
Try to disable the peer, instance, wireguard one by one. and see your network is working or not.
For client (mobile device or others), 0.0.0.0/0 is fine. It will allow all traffic.
if you put 0.0.0.0/0 in peer allowed ip's (should put client IP), you might get some issue on routing.
enoch85
commented
7 months ago Whuut, it works. Don't know what I've done differently now, but it finally works!
For someone else coming here looking for answers, this is my laptop setup
[Interface]
PrivateKey = XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYX=
Address = 10.0.0.3/32
DNS = 192.168.1.1
[Peer]
PublicKey = XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYX=
PresharedKey = XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYX=
Endpoint = ddns.dedyn.io:51820
AllowedIPs = 0.0.0.0/0
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
A clear and concise description of what the bug is, including last known working version (if any).
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I should be able to ping 8.8.8.8 or browser internet while on the WG connection.
Describe alternatives you considered
I've tried everything I can think of. Adding Hybrid Outbound, opening all ports, using public DNS, adding a separate Gateway and so on...
Screenshots
Tba, on mobile phone now.
Relevant log files
Tba, on mobile phone now
Additional context
Internet dies for the whole firewall the instant I activate WireGuard. I can't even use the diagnostics (Interface menu) and ping. All my other VPS dies and looses internet connection until I disable WireGuard - then it instantly works again.
I've tried deleting the whole setup with the latest FW yesterday and redone it again to get the latest tweaks, but it doesn't work.
I use Unbound, and have tried setting both 192.168.1.1 (Firewall) and 10.0.0.1 (WG interface) for DNS, but it fails anyway.
I know there have been a lot of posts similar to this, but at least those guys had internet, I can't even ping anything.
Looking at the Unbound logs, I can see that it successfuly negotiates DNS and resolves it, but I doesn't come through the Firewall to the client. I can also see that the Firewall logs lights up green, and it seems like the sites I visit are allowed and working, but again, nothing happens on the client, and internet is dead on the whole firewall!
Been on this for at least 6 hours now.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.1.6 (amd64). Supermicro 1U server (new 2020)