WG peers won't connect
-
@jarhead It's all set accordingly.
Port forwarding is enabled on the router as well otherwise the tunnel there wouldn't work.
So I'm still looking for an angle to figure out where the handshake goes wrong and I feel it's the return side from the host but overall troubleshooting is difficult. -
@arjay Post pics of the config.
-
Here is what I do with WG see links below:
(https://twitter.com/FlynnInfoSec1/status/1618707989090955264?s=20&t=bZB57yltIUhxq615tNBOgA)(https://sflynn.substack.com/p/wireguard-and-tailscale-ftw-p2?utm_campaign=post&utm_medium=web)
-
@saf2030 You need to post pics of YOUR config if you want help.
You can mask the keys but leave the first 5 or 6 characters shown.
What makes you think the tunnel is working?
If you're going by the green up arrow in status, don't. That doesn't mean the tunnel is working, it just means that end of the tunnel is up, not that it's going anywhere. Don't believe me? Create a new tunnel on a port that isn't open through the firewall, you'll still get a green arrow on it.
Post pics. -
@jarhead Here's the config right now. If you're missing anything let me know. DDNS is not configured in pfsense.
Here is the Tunnel and peers
No interface selected for the tunnel
WAN rules left wide open. I know the third rule is covered by the second, but once it's working I can put it back in place.
Rules for Wireguard
And here is the NAT
-
@arjay said in WG peers won't connect:
And here is the NAT
Portforward is wrong here and not needed at all. Wireguard is a service listening on every interface, like the WAN-address.
-
@arjay First, the second rule on your WAN allows everything IN. Just delete it. It has nothing to do with Wireguard and I have no idea what the return channel would be, Wireguard uses the 1 port only.
Delete the NAT. You aren't port forwarding, just need it open on the WAN.
As you can see by the WAN rules, nothing is hitting those rules so chances are the other router is not configured correctly.
Do this, take the laptop with the WG client and connect it to the other routers LAN. So it will be on the same subnet as the WAN of pfSense. In the client config on the laptop change the endpoint to the WAN IP of pfSense.
See if you can connect. If you can, pfSense is configured correctly.
Then you have to start looking at the other router. What make/model is it?
Can you just put it in bridge mode so pfSense gets the public IP?Also, I said leave the first few characters of the public keys visible for a reason. If the connection I suggested above does not work, show the client config on the laptop with the first few characters of all keys visible.
-
@jarhead Hi My WG configurations work perfect I was responding to Arjay, Thanks Stephen
File to big to upload however you can download here if you like (PD005)https://sflynn.substack.com/i/85683721/pd-wireguard-and-tailscale-ftw-p-wireguard-on-pfsense
-
@jarhead my general test ist to disconnect from pfSense and go from Wlan, same with the phone. So I was doing that all along.
Again, the NAT is what Lawrence systems recommended when not using an interface. And since as you say the rules permit anything it doesnt hurt and this would be the indication on any traffic here too.
So, still searching for a proper way to debug this and stop changing configs by chance.
So of course I can delete all the permit rules but that will not be the root cause.
In general I also use the phone so I dont have to switch network adapters for testing. I even duplicated the Wireguard and put down the WG on my VM. Didn't help. I can show you the first couple of letters of the keys, but I can definitely exclude this as the issue. Also I should see traffic on the interface in either case.. -
@arjay Not NAT, but outbound NAT.
Did you add that? -
@jarhead i will not have access for the next 5 days. I will take a look again afterwards.
