Cannot connect from tun_wg0 to LAN

tanjix · Jul 18, 2021, 7:36 PM

Hi Guys!

Apologies, if this has been asked previously, however, I could not find a solution here.

I have the following scenario.

PFsense server with 2 NICs

1x WAN: 192.168.178.0/24
1x LAN: 10.20.30.0/23
an HP ProCurve 2524 switch some more clients connected to it, that are all coming in via the LAN connection to pfSense

On pfSense I set up a Wireguard tunnel with one peer.
The Wireguard network is 10.1.1.0/24

Connecting to that tunnel works fine, as well as being able to ping (once connected) the following:

10.1.1.1 (pfsense server, tun_wg0 device)
10.1.1.2 (my client)
10.20.30.1 (pfsense server on the LAN interface).

However, I cannot access other LAN clients, that are coming in via the LAN network.
I have two other clients (10.20.30.5 and 10.20.30.10) but cannot reach any of them.
To be sure, it'S not a firewall related issue, I created an "accept all rule" on LAN and OPT1 (which is the tun_wg0 device)

When trying to ping these clients (10.20.30.5 and 10.20.30.10) from either the ping-tool in pfSense or from SSH directly, both clients respond fine).

What did I miss to be able to reach my clients, when being connected via WireGuard?

If necessary I attached a bunch of screenshots of my relevant config, if necessary.

Wireguard App Config

Wireguard Tunnel Configuration

Wireguard Peer Configuration

Firewall Rules OPT1

Firewall Rules LAN

Firewall Rules Wireguard

Firewall Rules WAN

Interface-Setup tun_wg0

Interface-Setup LAN

Interface-Setup WAN

Interface Assignments

Any help would be appreciated!

Thanks a lot and best regards,

tanjix

_igor_ · Jul 20, 2021, 6:35 PM

@tanjix
Try deleting the rule on Interface OPT1. Its not necessary.
Next enter 1420 in MTU and
1380 in MSS for interface OPT1 (tun_wg0).
Rest should be ok.
Maybe that helps.

tanjix · Jul 20, 2021, 7:00 PM

@_igor_ said in Cannot connect from tun_wg0 to LAN:

@tanjix
Try deleting the rule on Interface OPT1. Its not necessary.
Next enter 1420 in MTU and
1380 in MSS for interface OPT1 (tun_wg0).
Rest should be ok.
Maybe that helps.

Thanks for your input; I applied the changes you suggested, but I still do not have success in reaching clients on the 10.20.30.0/23 network through WireGuard, once I am connected. :-(

_igor_ · Jul 20, 2021, 7:40 PM

@tanjix
I built my tunnel with help from here: Look at the Client part with the pub-key, which has to be entered at pfsense peer.
Pub-key from pfsense has to be entered at client-side.
Does your client appear at the status-page from Wireguard on pfsense? is it shown green?
Your second screenshot shows missing Interface-keys...

tanjix · Jul 20, 2021, 7:44 PM

@_igor_ said in Cannot connect from tun_wg0 to LAN:

@tanjix
I built my tunnel with help from here: Look at the Client part with the pub-key, which has to be entered at pfsense peer.
Pub-key from pfsense has to be entered at client-side.
Does your client appear at the status-page from Wireguard on pfsense? is it shown green?
Your second screenshot shows missing Interface-keys...

Hi igor,

yes, on the status page I am shown as green.
Correct, the keys aren't on the screenshot as I removed them before screenshotting, but they are there.
Like I said, once I am connected, I can ping the devices itself:

10.1.1.1 (pfsense server, tun_wg0 device)
10.1.1.2 (my client)
10.20.30.1 (pfsense server on the LAN interface).

However, I cannot reach clients behind the LAN interface, like 10.20.30.5, 10.20.30.10 or 10.20.30.20.

Thanks, tanjix

tanjix · Jul 20, 2021, 7:46 PM

@_igor_

Just for the records:

_igor_ · Jul 20, 2021, 8:32 PM

@tanjix

Sorry, forgot the link: https://itigic.com/how-to-configure-wireguard-vpn-server-in-pfsense/

One other thing: I miss a rule from LAN, which allows traffic from the WG to LAN.
Try an any to any rule for LAN. Change Source LAN-NET to any.

tanjix · Aug 2, 2021, 4:34 AM

@_igor_ said in Cannot connect from tun_wg0 to LAN:

@tanjix

Sorry, forgot the link: https://itigic.com/how-to-configure-wireguard-vpn-server-in-pfsense/

One other thing: I miss a rule from LAN, which allows traffic from the WG to LAN.
Try an any to any rule for LAN. Change Source LAN-NET to any.

Hi,

do you mean a rule like that?

If so, it does not work either, still unable to ping clients behind the LAN interface.

dkeller · Aug 2, 2021, 4:34 AM

@tanjix said in Cannot connect from tun_wg0 to LAN:

@_igor_ said in Cannot connect from tun_wg0 to LAN:

@tanjix

Sorry, forgot the link: https://itigic.com/how-to-configure-wireguard-vpn-server-in-pfsense/

One other thing: I miss a rule from LAN, which allows traffic from the WG to LAN.
Try an any to any rule for LAN. Change Source LAN-NET to any.

Hi,

do you mean a rule like that?

If so, it does not work either, still unable to ping clients behind the LAN interface.

Bump! Did you get this working? i am in the same boat tried assigning wireguard to interface and allow that interface to LAN net same issue and also tried with out. Also tried on client peer on phone 0.0.0.0/0 or lan address same issue.

dcgibby · Aug 4, 2021, 8:29 AM

@dkeller
The current WG package doesn’t setup any routes.
So for the peers you create in pfsense, the allowed ips need static routes created.
Also you are going to have to check outbound NAT and set to manual and remove any NATing on your WG gateway.

Create the tun_wg0 interface
static ipv4
10.1.1.1/24
none for gateway

Then go to system -> routing
create a new gateway
using the assigned opt interface for the tun_wg0 (or whatever you name it)
set gateway to 10.1.1.2

Now goto system->routing->static routes
create a new static route
10.1.1.2/32
using the gateway you created above

Then you need to goto firewall->nat->outbound
set to manual
remove any of the assigned opt interface
remove any NATing of 10.1.1.1/24 on the assigned opt interface

also if you need to access pfsense dns you have to setup that on your client. you can use the opt interface address and just make sure it’s enabled in dns resolver

give that a try and see if connections work.

for the 0.0.0.0/0 access
you have to do the above but create a second gateway with address the one of client 10.1.1.3
then add static route to that ip

then you need to setup outbound NAT
Use WAN
source 10.1.1.3/32 (or 10.1.1.0/24 if you want all clients to route through wan)
NAT address set to WAN address

again make sure you have DNS setup on client to resolve things. either point to your pfsense box or some other DNS server

dkeller · Aug 4, 2021, 8:29 AM

@dcgibby said in Cannot connect from tun_wg0 to LAN:

@dkeller
The current WG package doesn’t setup any routes.
So for the peers you create in pfsense, the allowed ips need static routes created.
Also you are going to have to check outbound NAT and set to manual and remove any NATing on your WG gateway.

Create the tun_wg0 interface
static ipv4
10.1.1.1/24
none for gateway

Then go to system -> routing
create a new gateway
using the assigned opt interface for the tun_wg0 (or whatever you name it)
set gateway to 10.1.1.2

Now goto system->routing->static routes
create a new static route
10.1.1.2/32
using the gateway you created above

Then you need to goto firewall->nat->outbound
set to manual
remove any of the assigned opt interface
remove any NATing of 10.1.1.1/24 on the assigned opt interface

also if you need to access pfsense dns you have to setup that on your client. you can use the opt interface address and just make sure it’s enabled in dns resolver

give that a try and see if connections work.

for the 0.0.0.0/0 access
you have to do the above but create a second gateway with address the one of client 10.1.1.3
then add static route to that ip

then you need to setup outbound NAT
Use WAN
source 10.1.1.3/32 (or 10.1.1.0/24 if you want all clients to route through wan)
NAT address set to WAN address

again make sure you have DNS setup on client to resolve things. either point to your pfsense box or some other DNS server

I'll give it a go and see. Is it me or the primary purpose of vpn is to go from client to server anyway, would you focus on that part first with a package?