Unable to connect to wireguard

droidus

I am running wireguard on my pfsense box. pfsense v2.6.0-release. wg (wireguard) v0.1.6_2. I have the following fw rule enabled on wan to allow the traffic through:

I am not able to connect from my client, nor can I telnet via 51820 to my IP address. I just get a "connection timed out" error message. From the pfsense dashboard, wg is running.

pst

@droidus Make sure you have NAT configured as well. Port 51820 needs to be forwarded, something like this

droidus

@pst Maybe that's what I am missing. I don't have one for wg. What is port 51825? Is something listening there? How do I know which port to put there?

EDIT:
Sorry, actually I do. Under the Outbound tab:

pst

@droidus when I read your original question I assumed you had problems connecting from outside the firewall to your local network (via a phone for example). For this scenario you need a port mapping as I suggested. In my case port 51825 is the listening port for the configured WG tunnel used for incoming / remote access. If you have outgoing WG tunnels you need to use a different port number for the incoming / remote access (WG might already reject any attempt to use the same ports though).

If you are having problems with outgoing WG tunnels you don't need the port mapping I suggested. But the outgoing mapping should specify your WG interface, not the WAN as your picture shows.

droidus

@pst I followed the following, and it fixed it for me: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html#firewall-rules.

pst

@droidus glad you got it sorted out :)

Bob.Dig

@pst said in Unable to connect to wireguard:

Make sure you have NAT configured as well. Port 51820 needs to be forwarded, something like this

Why? This is not needed at all.

@droidus Don't use manual outbound NAT, use hybrid instead. For WireGuard alone even automatic will do.

pst

@Bob-Dig said in Unable to connect to wireguard:

Why? This is not needed at all.

No? The port forwarding has been there since I set up WG a long time ago so I haven't really considered its validity. But if I disable the port forwarding I can't browse on the phone, so I think I'll keep it. Glad you can manage without it.

droidus

@Bob-Dig Why shouldn't I use Manual? I tried Hybrid and Automatic, and (Internal) sites no longer load for me.

Bob.Dig

@droidus said in Unable to connect to wireguard:

@Bob-Dig Why shouldn't I use Manual? I tried Hybrid and Automatic, and (Internal) sites no longer load for me.

If you know what you are doing, do it. But if something is not working...

droidus

@Bob-Dig So I reverted to manual (did a restore) since hybrid and automatic were not working, and it is broken now.