WireGuard site-to-site pfsense-to-pfsense no handshake?

bassopt · Aug 11, 2021, 3:10 AM

This was working fine on version 0.1.3. Updated to 0.1.5 and now I cannot access any of my peers subnet defined in static routing. I can ping from pfsense but pinging from any address on the lan subnet doesn’t work. Site one can’t ping site 2 and vice versa.

titansilber · Aug 14, 2021, 5:53 PM

With hybrid nat the automatic nat rules for the WG interface look like a hot mess, especially if you have multiple interfaces. Anyone have examples of what it should look like?

Mikki-10 · Aug 18, 2021, 9:36 AM

@titansilber

What is your goal with the Outbound NAT change? It is not required for site-to-site.

If the goal is to change all traffic to the interface ip you can do that by setting to roules:

Interface: WG interface
Source: 127.0.0.0/8
Source port: *
Destination: * or what you need
Destination port: *
NAT Address WG address
NAT port: *
Static port: false

Interface: WG interface
Source: <Your LAN ip
Source port: *
Destination: * or what you need
Destination port: *
NAT Address WG address
NAT port: *
Static port: false

Not sure if this is what you are looking for?

bassopt · Aug 18, 2021, 5:49 PM

After much hair pulling I finally made this work and stable.

You need to specify / create and assign he gateway to the WG Interface when you create it else you'll have or sort of routing issues
You also need to create static routes to the gateway with the subnets you want to access on the other side of the tunnel.

Oh and the instructions above are wrong the Gateway ip needs to be the ip of tunnel on your side and not on the opposite side or it won't work.

Unfortunately then entire wireguard project seems to be quite secondary at this point for negate (they didn't even bothered updating the documents)... I know it's still experimental, but ok...
The developer is also never available never replies to anything in any of the platforms he mentions on his videos. He just ignores 99% of problems people are having (I hope they are not expecting us to start opening pointless stuff on redmi)

Mikki-10 · Aug 25, 2021, 12:40 PM

@bassopt

Hi the use of the Gateway ip from the other side is not wrong, you do that with OpenVPN site to site as well when using layer 2 (TAP interface) and it give you the correct ping to the other side, and it helps keep the connection/session alive.

You do not need to do any NAT config if you follow the above.

Just remember to set the
MTU: 1420 and
MSS: 1420
That fix most problems.

bbrendon · Oct 18, 2021, 6:32 PM

there is also a bug here that causes no handshake.
https://forum.netgate.com/topic/167279/wireguard-won-t-handshake-package-bug?_=1634581891833

cmcdonald · Nov 10, 2021, 10:07 PM

This bug should be resolved in the latest version (0.1.5_2 and above). This package is available CE 2.5.2/2.6.0 and Plus 21.05.2/22.01. Give it a shot :)

bassopt · Nov 10, 2021, 10:20 PM

@cmcdonald I don’t see any 0.1.5_2 update on my end

cmcdonald · Nov 10, 2021, 11:13 PM

@bassopt hmmm, will check the builds. Thanks for checking

cmcdonald · Nov 15, 2021, 6:04 PM

@bassopt Take another peak now, updated package should be available.

https://files01.netgate.com/pfSense_v2_5_2_amd64-pfSense_v2_5_2/All/pfSense-pkg-WireGuard-0.1.5_3.txz