Please assist with WireGuard configuration for client to access internal network

[cookiemonsteruk]

I am on OPNsense 23.7.12_5-amd64

Hello. I have a wg server running on OPN accepting connections from a couple of my devices for when I'm away from home. One is a mobile phone and another is a laptop. I can connect with them fine but they are set to allowed IPs only their /32 ip address on the tunnel. I want to add the ability to reach my LAN to another of these devices but I get an error message on the wg log and if I add 0.0.0.0/0, my DNS resolution on my LAN devices starts to fail. Errors take the form of: /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '192.168.5.0/24' -interface 'wg1'' returned exit code '1', the output was '' or /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0' -interface 'wg1'' returned exit code '1', the output was '' I have tried stopping the wireguard service first before modifying it but it is the same behaviour. My wireguard config appears as this: $cat /usr/local/etc/wireguard/wg1.conf

####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  10.0.0.1/24
# DNS = 192.168.5.1
# MTU =
# disableroutes = 0
# gateway =

[Interface]
PrivateKey = XXXXXX
ListenPort = 51820

[Peer]
# friendly_name = mobile-8T-MN
PublicKey = YYYY

AllowedIPs = 10.0.0.2/32

[Peer]
# friendly_name = pluto
PublicKey = ZZZZ

AllowedIPs = 10.0.0.3/32

[Peer]
# friendly_name = saturn
PublicKey = AAAAA

AllowedIPs = 10.0.0.4/32

What I have been trying to do is modify the config using the UI to replace for saturn 10.0.0.4/32 with 0.0.0.0/0 or add 192.168.5.0/24 to it which is my LAN network. Strangely with mobile-8T-MN peer, I can access my LAN with its current configuration. I fail to see what is my error. Any advice will be gratefully appreciated. Additionally if it helps, these are my rules:

scrub on igc1_vlan200 all fragment reassemble
scrub on igc1_vlan100 all fragment reassemble
scrub on igc2 all fragment reassemble
scrub on igc0 all fragment reassemble
scrub on wg1 all fragment reassemble
block drop in on ! igc1_vlan200 inet from 192.168.200.0/24 to any
block drop in inet from 192.168.200.1 to any
block drop in on ! igc1_vlan100 inet from 192.168.5.0/24 to any
block drop in inet from 192.168.5.1 to any
block drop in on ! igc0 inet from {publicip}/20 to any
block drop in inet from {publicip}63 to any
block drop in on ! wg1 inet from 10.0.0.0/24 to any
block drop in inet from 10.0.0.1 to any
pass in quick on lo0 inet6 all flags S/SA keep state label "8ea047906c1d4b4979cecf618861df7e"
block drop in quick inet6 all label "1e3b28187f5c3ff11d5f26da22fa4f4d"
block drop in inet all label "8164f82fd0b4f3b0e0c494228a454c17"
block drop in inet6 all label "8164f82fd0b4f3b0e0c494228a454c17"
pass in quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "9dff917e83b570f19343d5e2941a545e"
pass in quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "9dff917e83b570f19343d5e2941a545e"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "9dff917e83b570f19343d5e2941a545e"
pass in quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "9dff917e83b570f19343d5e2941a545e"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass out quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "fb0cc70ad35caa7bea0138f49c30623d"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "d147534c4012c8dd65eda59292c0ab90"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "df042096359aa49094a20b3ac111f4b7"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "df042096359aa49094a20b3ac111f4b7"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "df042096359aa49094a20b3ac111f4b7"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "df042096359aa49094a20b3ac111f4b7"
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "df042096359aa49094a20b3ac111f4b7"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "d8fdc41aeac05a86adfb74e6052317d8"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "d8fdc41aeac05a86adfb74e6052317d8"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "d8fdc41aeac05a86adfb74e6052317d8"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "d8fdc41aeac05a86adfb74e6052317d8"
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "d8fdc41aeac05a86adfb74e6052317d8"
block drop in quick inet proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto tcp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet6 proto udp from any port = 0 to any label "055888faf366f8a2c7f1750d10972bd8"
block drop in quick inet proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto tcp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
block drop in quick inet6 proto udp from any to any port = 0 label "7a8b700e4eb5aee74ba3bb8c84ab144e"
pass quick inet6 proto carp from any to ff02::12 keep state label "5ddcbf1f0688962629f1a2166ba2ab0c"
pass quick inet proto carp from any to 224.0.0.18 keep state label "846c09139ef5484c01967052b15e454a"
block drop in quick proto tcp from <sshlockout> to (self) port = ssh label "e4ddd6926820aea1dd5627b7f4af97e7"
block drop in quick proto tcp from <sshlockout> to (self) port = 55443 label "58da85c6dee20173a419bcd1edf9279d"
block drop in quick from <virusprot> to any label "ee12eb4ed372a1de1d91c2c2264a6c6d"
pass in quick on igc1_vlan200 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "007455eaf562a023ae9495b7d3a18b58"
pass in quick on igc1_vlan200 proto udp from any port = bootpc to (self) port = bootps keep state label "d3d0cb39dbfef6aa4be51735f8b6ba4c"
pass out quick on igc1_vlan200 proto udp from (self) port = bootps to any port = bootpc keep state label "4d687503fd41c48e2614b34f2620d1dd"
pass in quick on igc1_vlan100 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "1df7b65b293bf138df10f236a7889eee"
pass in quick on igc1_vlan100 proto udp from any port = bootpc to (self) port = bootps keep state label "385edc3329288e020aa9bbe9f9914de5"
pass out quick on igc1_vlan100 proto udp from (self) port = bootps to any port = bootpc keep state label "58ca7742b2c97951641023f18e2dd59d"
pass in quick on igc2 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "4db3295e7047cf30b38a8bd19b6afce9"
pass in quick on igc2 proto udp from any port = bootpc to (self) port = bootps keep state label "a0895b11d5fdf07c530f097ce0e489c5"
pass out quick on igc2 proto udp from (self) port = bootps to any port = bootpc keep state label "a5d9128a5eac4049942d7c8e415a9d48"
pass in quick on igc0 proto udp from any port = bootps to any port = bootpc keep state label "be8be5a43b73daab06e3338a1946114e"
pass out quick on igc0 proto udp from any port = bootpc to any port = bootps keep state label "e5b7d76c120fe25d3a8ef50a99d5d46c"
block drop in quick inet from <crowdsec_blacklists> to any label "da69be3be6ae749c12c43758d773b3e2" tag crowdsec-matched-packet
block drop in quick inet6 from <crowdsec6_blacklists> to any label "59b9e6ddc4baf7e8efea5579324dcee4" tag crowdsec-matched-packet
block drop in quick on igc0 inet from <bogons> to any label "3c2cd03c70091e3732710e44c3b97506"
block drop in quick on igc0 inet from 10.0.0.0/8 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc0 inet from 127.0.0.0/8 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc0 inet from 100.64.0.0/10 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc0 inet from 172.16.0.0/12 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc0 inet from 192.168.0.0/16 to any label "1072878c6245b52440bc89c6107a9d0a"
block drop in quick on igc0 inet6 from fc00::/7 to any label "dcde0621a9f0daa594b014e15f65c076"
pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92"
pass out all flags S/SA keep state allow-opts label "fcc89aee950e474ad952872fb6c678aa"
pass in quick on igc1_vlan100 proto tcp from any to (self) port = ssh flags S/SA keep state label "ef0228173148eed293341650bf2def1a"
pass in quick on igc1_vlan100 proto tcp from any to (self) port = 55443 flags S/SA keep state label "ef0228173148eed293341650bf2def1a"
pass out route-to (igc0 {publicip}) inet from (igc0) to ! (igc0:network) flags S/SA keep state allow-opts label "94eacf0fb5b58424fd146c31c563276a"
block drop in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from ! <GeoProtect_Allow> to (igc0) port = ssh label "afd38a0a19317774aa081574fd132e7a"
block drop in log quick on igc1_vlan100 inet from any to <crowdsec_blacklists> label "4f7661276e746a829506556a0b564947"
pass in on openvpn inet from (openvpn:network) to any flags S/SA keep state label "0ad30a7c47aa06d9b5a0fc98349a31a5"
pass in quick on igc0 reply-to (igc0 {publicip}) inet proto udp from any to (igc0) port = 1193 keep state label "71dccc62046c6cbfcc611239ae4398dc"
block drop in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from ! <GeoProtect_Allow> to (igc1_vlan100:network) port = ssh label "597fafe795342cb5d243fe269f5a9213"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to 192.168.5.186 port = 49152 flags S/SA keep state label "4bb141607bc4d65ebbb9d894ee51794f"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to 192.168.5.3 port = 49153 flags S/SA keep state label "60ec932a1277cb127ac25a5b1d9635e4"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to (igc0) port = domain-s flags S/SA keep state label "04101efe878c6a7f44d7c636145d53e8"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to (igc0) port = 5000 flags S/SA keep state label "04101efe878c6a7f44d7c636145d53e8"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to (igc0) port = 8000 flags S/SA keep state label "04101efe878c6a7f44d7c636145d53e8"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to (igc0) port = https flags S/SA keep state label "04101efe878c6a7f44d7c636145d53e8"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from any to (igc0) port 0 <> 65535 flags S/SA keep state label "5bf506e712ef59b1c81eaba3ffb6ebdd"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto udp from any to (igc0) port 0 <> 65535 keep state label "5bf506e712ef59b1c81eaba3ffb6ebdd"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto udp from any to (igc0) port = 51820 keep state label "2e787753ad4f25f1e519d5d716563f80"
pass in log quick on igc0 reply-to (igc0 {publicip}) inet proto tcp from <GeoProtect_Allow> to 192.168.5.3 port = ssh flags S/SA keep state label "1469fe25de364cdf21732440a00c2d71"
pass in log quick on igc1_vlan100 inet proto tcp from 192.168.5.157 to any port = domain flags S/SA keep state label "a4413eececbd93a6fb15f77427e29aae"
pass in log quick on igc1_vlan100 inet proto udp from 192.168.5.157 to any port = domain keep state label "a4413eececbd93a6fb15f77427e29aae"
pass in log quick on igc1_vlan100 inet proto tcp from any to 192.168.5.1 port = domain flags S/SA keep state label "40269132f223777a0bbbe357c61f16e6"
pass in log quick on igc1_vlan100 inet proto udp from any to 192.168.5.1 port = domain keep state label "40269132f223777a0bbbe357c61f16e6"
block return in log quick on igc1_vlan100 inet from <EpsonPrinter> to ! (igc1_vlan100:network) label "a354b5b74cf95f620deac14392cc79f4"
pass in quick on igc1_vlan100 inet from 10.8.0.0/24 to any flags S/SA keep state label "f0ce945c44f1f0a1ab9ef4d79efa6b6e"
pass in quick on igc1_vlan100 inet proto tcp from any to <DoHserverExceptionsIPv4> flags S/SA keep state label "f19137f5d9e58323f48e3bc373e0c1dc"
pass in quick on igc1_vlan100 inet proto udp from any to <DoHserverExceptionsIPv4> keep state label "f19137f5d9e58323f48e3bc373e0c1dc"
pass in log quick on igc1_vlan100 inet from (igc1_vlan100:network) to any flags S/SA keep state label "1ba0a09973b96e6d0f85fca7c282ccc3"
pass in log quick on igc2 inet from (igc2:network) to any flags S/SA keep state label "634a861bc8dc5edd3f12b10090a3a673"
pass in log quick on igc1_vlan200 inet proto tcp from any to 192.168.5.1 port = domain flags S/SA keep state label "19d8d7393b015f2374dc56fba96fe385"
pass in log quick on igc1_vlan200 inet proto udp from any to 192.168.5.1 port = domain keep state label "19d8d7393b015f2374dc56fba96fe385"
block return in log quick on igc1_vlan200 inet proto tcp from (igc1_vlan200:network) to any port = 7443 label "f0c24223d491ca836fd4dd191f8ffbb7"
block return in log quick on igc1_vlan200 inet proto udp from (igc1_vlan200:network) to any port = 7443 label "f0c24223d491ca836fd4dd191f8ffbb7"
pass in log quick on igc1_vlan200 inet from (igc1_vlan200:network) to any flags S/SA keep state label "ff0104fe3e54e76a7c1e0c96c26b49db"
pass in on igc1_vlan200 inet from (igc1_vlan100:network) to (igc1_vlan200:network) flags S/SA keep state label "85826be0c1674e960845ade125ce0590"
pass in log quick on wg1 inet proto tcp from (wg1:network) to any flags S/SA keep state label "1c3e523539e139b6c59d46a53f1fc4b5"
pass in log quick on wg1 inet proto udp from (wg1:network) to any keep state label "1c3e523539e139b6c59d46a53f1fc4b5"
anchor "acme-client/*" all
anchor "iperf" all

[OPNsense-bot]

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.