Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic Remote LAN Access Setup

    Scheduled Pinned Locked Moved WireGuard
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senseCanuck
      last edited by

      I tried too many configs and haven't got it working yet so I thought I'd ask. Trying to access my home LAN (192.168.5.0/24) from my phone when away.

      pfsense:
      Firewall Rule: WAN open port 51820 UDP
      WG Tunnel Address: 10.0.0.1/24
      WG Peer Address: 10.0.0.2/32

      Android:
      Tunnel Address: 10.0.0.2/24
      Peer Allowed IPs: 10.0.0.1/32, 192.168.5.0/24

      Clearly I'm missing something fundamental?

      1 Reply Last reply Reply Quote 0
      • S
        senseCanuck
        last edited by senseCanuck

        Also tried the OPN youtube tutorial, no luck. With this setup I see a state popup on the firewall rule stats but that's about it. Android client always has 0 for rx packets.

        pfsense:
        Firewall Rule: Floating WAN open port 51820 UDP
        WG Tunnel Address: 10.0.0.0/24
        WG Peer Address: 10.0.0.2/32

        Android:
        Tunnel Address: 10.0.0.2/32
        Peer Allowed IPs: 192.168.5.0/24

        A 1 Reply Last reply Reply Quote 0
        • A
          AB5G @senseCanuck
          last edited by

          @sensecanuck Assuming you have the basic setup completed like here - https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

          Then you should

          • Assign a wireguard interface (recommended) (detailed here) - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html
          • Create a outbound NAT rule to NAT local LAN to the tunnel IP

          Your Android client should be able to connect. Look for logs in the Android client - in IOS there is a way to see the logs.

          P.S

          Android:
          Tunnel Address: 10.0.0.2/32 <this is correct>
          Peer Allowed IPs: 192.168.5.0/24 <you need an additional 10.0.0.1/32 here . It's better you have a 0.0.0.0/0 here; look at the 1st link above for the recipe.

          S 1 Reply Last reply Reply Quote 0
          • S
            senseCanuck @AB5G
            last edited by senseCanuck

            @ab5g I found that url earlier today and setup the system that way.

            When I try to connect with Android I can see state/bytes on the pfsense WAN rule but I cannot access the 192.168.0.X devices.
            The connection status shows packets being sent but none received. I'm new to WG so not sure what to look for in the log, seems to be connecting.

            I added the WireGuard gateway rule per wireguard-ra.html (it never gets any states/bytes) but I don't have an outbound NAT rule. Can you provide the details of what it should be? I just added one but still not having any luck. I'm also a little confused why under interfaces in firewall rules there's "WireGuard" as well as the WG interface I assigned.

            A 1 Reply Last reply Reply Quote 0
            • A
              AB5G @senseCanuck
              last edited by

              @sensecanuck WireGuard is the group, so if you have more than 1 interface you can apply rules to the group. WG is the interface you assigned to the tunnel. So you could have another tunnel say going to a VPN service provider and assign that WG1 interface. On this tunnel you only want outbound rules for instance LAN hosts to access the WG1 interface and then onto the VPN provider. While you don't want the VPN service provider to initiate a connection to you. So these interfaces come handy.

              Some more details are here - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html

              Note: Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to. So make sure your allow rules are on the WG interface and not on the Wireguard group.

              If the connection is up, then all that is needed is for you to assign the WG interface and the NAT rule. Also set your Default gateway IPv4 in System/Routing to the WAN_DHCP (don't leave on auto).

              As far as NAT is concerned you need to goto NAT/Outbound/Select Hybrid outbound then Add a new rule > Interface WG, source <your LAN subnet that you are trying to access> dest any, NAT address WG address.

              If this doesn't work post some screenshots of the configs for

              1. Wireguard
              2. Wireguard Peer
              3. Android configuration
              4. Firewall rule for WAN, firewall rule for WG interface
              5. NAT rules
              S 1 Reply Last reply Reply Quote 0
              • S
                senseCanuck @AB5G
                last edited by

                @ab5g I went through all the rules again and found an incorrect interface specified. All is working now, thanks a lot for the help.

                Now that it's working, I played around a bit an noticed I don't actually need the NAT rule to talk to my LAN (just the WireGuard firewall rule seems to be enough). Is there some additional reason for me to add the NAT as well?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.