Wireguard is not routing any traffic
-
I have set up a Wireguard connection to Surfshark in pfsense and assigned an interface to it. The status page says that the handshaks had happened and the Gateway is green in the status page. I also added NAT rules for the new interface and a firewall rule to send the traffic through the gateway. But my clients can't sent any traffic out.
Do I need to add allow rules to the Wireguard firewall tab? Do I need to add some static routes?
-
@thisisme according to the pfsense documentation I have to add a firewall to the Wireguard tab that pass any traffic (any destination, any source) but wouldn't this mean that all incoming traffic from the Internet can access my lan? Including unwanted malicious connections?
-
@thisisme no that rule is for your network through the interface to the world. You gotta ask yourself, would Netgate really provide configuration guidance that would hurt its customers and reputation as a security-minded company? You’ll never pass any traffic if you don’t have an allow rule.
-
If it makes you feel better you could specify your lan subnet as the originator. The config guides are meant to cover the basics. You then can tighten things up to your heart’s content with the understanding that mucking around without understanding what you’re doing can result in bad things.
-
@thisisme said in Wireguard is not routing any traffic:
I have set up a Wireguard connection to Surfshark in pfsense
How?
-
That's my setup
and this is the config provided by surfshark
[Interface] Address = 10.14.0.2/16 PrivateKey = <insert_your_private_key_here> DNS = 162.252.172.57, 149.154.159.92 [Peer] PublicKey = fJD*********** AllowedIPs = 0.0.0.0/0 Endpoint = de-fra.prod.surfshark.com:51820I also added a Firewall-Rule to my LAN interface targeting the Gateway NORDVPN1_VPNV4 which is assigned to the interface NORDVPN1 (don't mind the name, I moved from nordvpn last week)
-
I wonder if it's correct to use '10.14.0.2' as the ip address of my interface, but the pfsense documentation says I should put an IP there and it's the only one I have. (DHCP is not working)
I can ping server on the internet from my own clients, but higher traffic is not passing
-
@thisisme I will be looking into this for myself shortly.
-
@gabacho4 said in Wireguard is not routing any traffic:
no that rule is for your network through the interface to the world
I'm still confused. I thought that rules are evaluated when they enter the interface. Traffic from LAN should not enter the Wireguard interface, but traffic from outside. Right?
-
@thisisme said in Wireguard is not routing any traffic:
Right?
Right, don't put any rule on that interface.
-
@bob-dig I found the problem I had to set the MSS on the wireguard interface, but I remain with another problem:
I can't route DNS through wireguard
If I select the the old OpenVPN interface the DNS resolver is working, but with the new Wireguard interface I can't resolve anything. Any idea? DNS is 9.9.9.9 -
@thisisme I am trying right now and for me it is also not working. It is new for them too, maybe they have problems on their side.
Will report here if this changes for me. -
Just to point it out: I don't had to add firewall rules to the Wireguard tab. This advice is WRONG and DANGEROUS
-
@thisisme Ping and DNS seem to be working for me. I didn't tested DNS within pfSense but just in a Windows VM. But I can't surf anything.
-
@bob-dig have you set the MSS on the Wireguard interface?
-
@thisisme No, I don't think it is a must anyways.
-
@bob-dig for me it don't work without it
-
@thisisme So which size should it be?
-
@bob-dig 1412 seems to work. Maybe you have to play a bit
-
Solved my DNS problem. Looks like wireguard is not adding any routes. I had to add a manual one for the DNS-Address and the gateway
