One tunnel for remote access
-
@thebabufrik I'm using the 192.168.1.x range for my main network.
-
@thebabufrik got it to connect but now I can't reach my other devices.
-
@korr2221 change allowed-ips with 0.0.0.0/0, can you reach your other devices?
-
I followed this guide: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html
Its working perfectly, I can access all the networks I have in my .conf file.
Using the SPIT tunnel method.Note that only full tunnel needs outbound NAT and 0.0.0.0/0 in allowed-ips.
-
@thebabufrik tried, no luck.
-
@thebabufrik yeah I tried both split and full tunnel :( and I followed the same thing. I have no idea where I could have gone wrong. I just upgraded wireguard on it and now that interface with the handshake is no longer there.
-
@korr2221 said in One tunnel for remote access:
@thebabufrik yeah I tried both split and full tunnel :( and I followed the same thing. I have no idea where I could have gone wrong. I just upgraded wireguard on it and now that interface with the handshake is no longer there.
double check the keys in pfsense and in the client.. maybe regenerate them and reapply ?
-
@mcury I did. I mean it's green and the handshake is successful for a reason I think? Going to retry but I think it's something with the firewall or routing. Do I need to create static routing so I can see my LAN on the other subnet for me to see it?
-
@korr2221 said in One tunnel for remote access:
@mcury I did. I mean it's green and the handshake is successful for a reason I think? Going to retry but I think it's something with the firewall or routing. Do I need to create static routing so I can see my LAN on the other subnet for me to see it?
No, no static route required.
Follows my configuration:
Firewall WAN rule:
Wireguard allow rule:
Tunnel setup:
Peer setup:
Wireguard app in my phone:
-
@korr2221 the weirdest thing ever. So I reinstalled WG twice, and all i did was change the order of the allowed IPs. Where I would put 0.0.0.0/0 in the middle. Suddenly it works now.
-
@korr2221 said in One tunnel for remote access:
@korr2221 the weirdest thing ever. So I reinstalled WG twice, and all i did was change the order of the allowed IPs. Where I would put 0.0.0.0/0 in the middle. Suddenly it works now.
Weird indeed.. full tunnel is that you want? If so, you need an outbound NAT as well.
Only 0.0.0.0/0 won't work. -
@mcury i didn't really need full tunnel, but for whatever reason that made it work adding the 0.0.0.0/0 scope. Can someone explain? LOL.
I know I needed to adjust the NAT if I want full tunnel. But at this point it works and I am happy.
Just checked my NAT settings, ZERO NAT rules. No idea what's going on.
-
@korr2221 said in One tunnel for remote access:
@mcury i didn't really need full tunnel, but for whatever reason that made it work adding the 0.0.0.0/0 scope. Can someone explain? LOL
0.0.0.0/0 will route everything that is connected to wireguard through the tunnel, including internet access, but you would also need an outbound NAT created.
Split tunnel (0.0.0.0/0 not included in allowed-ips) you will only gain access to the networks included in allowed-ips.
Full tunnel (0.0.0.0/0 included in allowed-ips), wireguard connections will be routed to the internet as well. -
@mcury just realized my LAN works but can't access public sites. It works without the 0.0.0.0/0 I'm guessing adding it in the middle did something and now it works like it's supposed to. But still having trouble with public sites. Odd...
-
@korr2221 nevermind. Changed my DNS from comcast to 1.1.1.1 now all is working normally. WHAT? :3
-
@korr2221 said in One tunnel for remote access:
@mcury just realized my LAN works but can't access public sites. It works without the 0.0.0.0/0 I'm guessing adding it in the middle did something and now it works like it's supposed to. But still having trouble with public sites. Odd...
Do you want to use the Internet from pfsense while connected to wireguard?
Or the phone Internet? -
@mcury it doesn't matter. I know if I want to use the internet from pfsense it is full tunnel and if I want from my phone it's split tunnel. But after changing my dns my split tunnel works correctly now. Odd!
-
@korr2221 It doesn't matter? Really? Ok then.
-
@mcury well i mean for some people it would. but for me, I just wanted to have remote access. haha.
-
@korr2221 said in One tunnel for remote access:
@mcury well i mean for some people it would. but for me, I just wanted to have remote access. haha.
So, you just want to access local resources? That's all?
Remove 0.0.0.0/0 from the allowed ips configuration file, and leave the configuration in pfsense exactly as I posted above.
