• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Basic Remote LAN Access Setup

Scheduled Pinned Locked Moved WireGuard
6 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    senseCanuck
    last edited by Feb 16, 2021, 11:47 PM

    I tried too many configs and haven't got it working yet so I thought I'd ask. Trying to access my home LAN (192.168.5.0/24) from my phone when away.

    pfsense:
    Firewall Rule: WAN open port 51820 UDP
    WG Tunnel Address: 10.0.0.1/24
    WG Peer Address: 10.0.0.2/32

    Android:
    Tunnel Address: 10.0.0.2/24
    Peer Allowed IPs: 10.0.0.1/32, 192.168.5.0/24

    Clearly I'm missing something fundamental?

    1 Reply Last reply Reply Quote 0
    • S
      senseCanuck
      last edited by senseCanuck Feb 17, 2021, 3:16 AM Feb 17, 2021, 3:14 AM

      Also tried the OPN youtube tutorial, no luck. With this setup I see a state popup on the firewall rule stats but that's about it. Android client always has 0 for rx packets.

      pfsense:
      Firewall Rule: Floating WAN open port 51820 UDP
      WG Tunnel Address: 10.0.0.0/24
      WG Peer Address: 10.0.0.2/32

      Android:
      Tunnel Address: 10.0.0.2/32
      Peer Allowed IPs: 192.168.5.0/24

      A 1 Reply Last reply Feb 18, 2021, 12:56 AM Reply Quote 0
      • A
        AB5G @senseCanuck
        last edited by Feb 18, 2021, 12:56 AM

        @sensecanuck Assuming you have the basic setup completed like here - https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

        Then you should

        • Assign a wireguard interface (recommended) (detailed here) - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html
        • Create a outbound NAT rule to NAT local LAN to the tunnel IP

        Your Android client should be able to connect. Look for logs in the Android client - in IOS there is a way to see the logs.

        P.S

        Android:
        Tunnel Address: 10.0.0.2/32 <this is correct>
        Peer Allowed IPs: 192.168.5.0/24 <you need an additional 10.0.0.1/32 here . It's better you have a 0.0.0.0/0 here; look at the 1st link above for the recipe.

        S 1 Reply Last reply Feb 18, 2021, 1:40 AM Reply Quote 0
        • S
          senseCanuck @AB5G
          last edited by senseCanuck Feb 18, 2021, 2:01 AM Feb 18, 2021, 1:40 AM

          @ab5g I found that url earlier today and setup the system that way.

          When I try to connect with Android I can see state/bytes on the pfsense WAN rule but I cannot access the 192.168.0.X devices.
          The connection status shows packets being sent but none received. I'm new to WG so not sure what to look for in the log, seems to be connecting.

          I added the WireGuard gateway rule per wireguard-ra.html (it never gets any states/bytes) but I don't have an outbound NAT rule. Can you provide the details of what it should be? I just added one but still not having any luck. I'm also a little confused why under interfaces in firewall rules there's "WireGuard" as well as the WG interface I assigned.

          A 1 Reply Last reply Feb 18, 2021, 3:18 AM Reply Quote 0
          • A
            AB5G @senseCanuck
            last edited by Feb 18, 2021, 3:18 AM

            @sensecanuck WireGuard is the group, so if you have more than 1 interface you can apply rules to the group. WG is the interface you assigned to the tunnel. So you could have another tunnel say going to a VPN service provider and assign that WG1 interface. On this tunnel you only want outbound rules for instance LAN hosts to access the WG1 interface and then onto the VPN provider. While you don't want the VPN service provider to initiate a connection to you. So these interfaces come handy.

            Some more details are here - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html

            Note: Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to. So make sure your allow rules are on the WG interface and not on the Wireguard group.

            If the connection is up, then all that is needed is for you to assign the WG interface and the NAT rule. Also set your Default gateway IPv4 in System/Routing to the WAN_DHCP (don't leave on auto).

            As far as NAT is concerned you need to goto NAT/Outbound/Select Hybrid outbound then Add a new rule > Interface WG, source <your LAN subnet that you are trying to access> dest any, NAT address WG address.

            If this doesn't work post some screenshots of the configs for

            1. Wireguard
            2. Wireguard Peer
            3. Android configuration
            4. Firewall rule for WAN, firewall rule for WG interface
            5. NAT rules
            S 1 Reply Last reply Feb 18, 2021, 12:31 PM Reply Quote 0
            • S
              senseCanuck @AB5G
              last edited by Feb 18, 2021, 12:31 PM

              @ab5g I went through all the rules again and found an incorrect interface specified. All is working now, thanks a lot for the help.

              Now that it's working, I played around a bit an noticed I don't actually need the NAT rule to talk to my LAN (just the WireGuard firewall rule seems to be enough). Is there some additional reason for me to add the NAT as well?

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received