Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Remote Access configuration. No access to Internet

    Scheduled Pinned Locked Moved WireGuard
    6 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • UniverseXU
      UniverseX
      last edited by

      I have followed the instruction from here, however I cannot access Internet, though local network is accessible. I'm able to ping from/to LAN<->Wireguard networks. Looking at the Rule's states, looks like DNS requests is not going through, also not able to open transmission interface.

      I have tried to switch off DNS rebind check, Static route filtering, but none of this resolves the issues, Would appreciate any hint on how to resolve this. Thanks.

      38924ca8-78aa-4ab0-88bf-bee0fa6a9239-image.png

      0d74e32c-ac11-47ef-8157-e3daa187eddb-image.png

      Fiirewall rules:
      ccf21016-d835-421f-880b-b155509b4ae7-image.png

      9453ce42-4a7c-4583-92a8-1dc593261258-image.png

      Wireguard config:
      e291c1b4-5773-498e-ad5a-45ff4aae05f6-image.png

      9188cec2-7aa6-496a-81ed-a6d6d72a1876-image.png

      4099758b-c63f-4a41-a8e6-f0148017e4ac-image.png

      A 1 Reply Last reply Reply Quote 0
      • A
        AB5G @UniverseX
        last edited by

        @universex nice name !

        You need a few things -

        • first assign an interface as per here - lets call it WG https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html

        • Move rules from your existing Wireguard group to this new interface - WG. Its important not to have any rules in the Wireguard group. https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html. Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to.

        • Goto System > Routing > Gateways // Select Default IPv4 GW as WAN_DHCP > don't leave it on auto

        • Lastly set a NAT rule to NAT pfsense LAN to the WG interface IP.

        d6eb22aa-17d4-41ad-b03f-05dc5dc66866-image.png

        UniverseXU 1 Reply Last reply Reply Quote 0
        • UniverseXU
          UniverseX @AB5G
          last edited by UniverseX

          @ab5g thanks for the reply.

          I've done everything as advised, however still not working. Getting the same errors.

          3cec9932-f6db-4ef1-ae3c-ea8dd6c6aee1-image.png

          dc0e07cb-4e0b-4ccb-b6db-fe1bea31a0da-image.png

          02a7718d-5a05-4527-b6e3-b198b1984e43-image.png

          e2c9dbf6-69d0-42dd-9595-7383144a7ff9-image.png

          A 1 Reply Last reply Reply Quote 0
          • MikeV7896M
            MikeV7896
            last edited by MikeV7896

            Your settings look good to me... and I didn't add a NAT rule and it's working fine for me. I don't believe outbound NAT is necessary on the WG interface for a simple remote access VPN. I think NAT becomes an issue if you're trying to connect two networks to each other, or if you're using a VPN provider for internet access, since you have multiple devices whose traffic is going over the VPN as if it were a WAN connection.

            I did assign an interface, but had gotten it working before I assigned the interface. It worked fine before and after doing it though.

            My setting screenshots are below (I used a smaller /28 rather than /24 for IPv4). I didn't include firewall rules for the WG interface... the only one I have is an "Allow All", as well as the rule on WAN for port 51820.

            Also, you might want to restart Unbound if you're using that for DNS... I found that needed to be done in order for it to recognize DNS requests from my remote device. Or check your Unbound settings if you limit the interfaces that Unbound can accept connections from.

            wg-tunnel.png
            wg-peer.png
            wg-ios.JPG

            The S in IOT stands for Security

            UniverseXU 1 Reply Last reply Reply Quote 0
            • A
              AB5G @UniverseX
              last edited by

              @universex You settings look ok.

              Please restart the wireguard tunnel by going to VPN>WireGuard>Tunnel - edit and then save. If that doesn't work try a tcpdump on

              • the wireguard interface like tcpdump -I wg0 host <destination you are pinging>
              • Next run the same tcpdump on WAN interface to see packets are going to the WAN interface.
              1 Reply Last reply Reply Quote 0
              • UniverseXU
                UniverseX @MikeV7896
                last edited by

                Thanks @virgiliomi, setting DNS to 10.6.210.1 has resolved the issue. Though I'm still seeing CLOSED:SYN_SENT against Transmission, but this I guess something else.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.