@chudak

I have the same problem. pfsense WG slow than ubuntu system WG

@dcgibby said in Cannot connect from tun_wg0 to LAN:

@dkeller
The current WG package doesn’t setup any routes.
So for the peers you create in pfsense, the allowed ips need static routes created.
Also you are going to have to check outbound NAT and set to manual and remove any NATing on your WG gateway.

Create the tun_wg0 interface
static ipv4
10.1.1.1/24
none for gateway

Then go to system -> routing
create a new gateway
using the assigned opt interface for the tun_wg0 (or whatever you name it)
set gateway to 10.1.1.2

Now goto system->routing->static routes
create a new static route
10.1.1.2/32
using the gateway you created above

Then you need to goto firewall->nat->outbound
set to manual
remove any of the assigned opt interface
remove any NATing of 10.1.1.1/24 on the assigned opt interface

also if you need to access pfsense dns you have to setup that on your client. you can use the opt interface address and just make sure it’s enabled in dns resolver

give that a try and see if connections work.

for the 0.0.0.0/0 access
you have to do the above but create a second gateway with address the one of client 10.1.1.3
then add static route to that ip

then you need to setup outbound NAT
Use WAN
source 10.1.1.3/32 (or 10.1.1.0/24 if you want all clients to route through wan)
NAT address set to WAN address

again make sure you have DNS setup on client to resolve things. either point to your pfsense box or some other DNS server

I'll give it a go and see. Is it me or the primary purpose of vpn is to go from client to server anyway, would you focus on that part first with a package?

@bigsy

FYI https://redmine.pfsense.org/issues/12175 - needs clean up

@brookheather said in WireGuard Package documentation:

Then you need to assign this interface a static IPv4 address range (your peers will be using an IP within this range).

I registered just to post here. This was it. This fixed my WireGuard issue. I could get connections and handshakes to the tunnel, but I couldn't get LAN or WAN access.

I do not remember if I had the configured in 2.5.1 or not, but since the change to 2.5.2 I couldn't get the WG tunnel to pass traffic. I didn't even need to create a gateway for the tunnel as mentioned above.

Adding the IP address fixed it all. Thank you!

@dma_pf

Alright... I figured out my issue. I never added allowable IP's to 0.0.0.0 /0.
That problem is fixed but I still cannot get my lan traffic or my openvpn tunnel client to use those tunnels for internet. Road block after road block. I guess if this was easy everyone would do it.

@digitalcomposer outstanding. Glad things are working as expected. Enjoy!

@_igor_ Sorry it didn't work out - it definitely does on Windows...

@departy No, still same issue.

@propercactus with how stable Wireguard and pfsense has been, I'll stick with it and if what I saw in the bug report is right (if I interpreted it right) I'm just going to stick with Wireguard. Its at most a minor inconvenience if I have to login on the off chance I have a crash or have to reboot my system.

Hmm... Solved by changing the Wireguard subnet from a 172.x.x.x range to a 10.x.x.x range. The machine in question is a VM running docker alone and pretty sure it has some strange firewall rules in place regarding 172 subnets. Docker is just weird.

Thanks to Tigger2014 on github, I dicovered some how a directory for the package was a file on my system. After renaming the file, I was able to successfully install the package. Issue resolve on my end. Thank you!

@theonemcdonald I too have been trying to get a road warrior WG setup on 2.5.2. and also would love a simple config guide or video on the road warrior setup.

So far I am hoping to be able to piece together what is needed to get a basic config up and working with from your mulvad video and also from the screenshots you posted in another thread.

https://forum.netgate.com/topic/163133/wireguard-lives/66

I am subscribed to your YouTube channel and do thank you for all the work you have done for the community at large it is beyond awesome. :-)

@johnpoz said in I am lost....:

As to ease of setup - I thought, maybe I mistaken but at some point there is/was suppose to be a QR code you could just point your phone at to set it up? If that was true than yeah it would be slick ;)

The Android app had this capability but pfsense does not yet seem to generate these codes, at least not through the GUI. I tried downloading the config and importing this but this did not work. This was in the early tries when I did not understand what I was doing. Maybe it would work now.

I gave it a go and I feel like I'm nearly set up - but I'm still not able to get my remote peer connected to the tunnel... I reckon I've got a simple config mistake I'm missing.

Feel free to see my post on the other topic you posted!

@jimbohello yup I've switched to IPsec I can't lose connectivity to the stuff behind the tunnel for any given reboot.