• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Wireguard Remote Access configuration. No access to Internet

Scheduled Pinned Locked Moved WireGuard
6 Posts 3 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • U
    UniverseX
    last edited by Feb 21, 2021, 1:12 PM

    I have followed the instruction from here, however I cannot access Internet, though local network is accessible. I'm able to ping from/to LAN<->Wireguard networks. Looking at the Rule's states, looks like DNS requests is not going through, also not able to open transmission interface.

    I have tried to switch off DNS rebind check, Static route filtering, but none of this resolves the issues, Would appreciate any hint on how to resolve this. Thanks.

    38924ca8-78aa-4ab0-88bf-bee0fa6a9239-image.png

    0d74e32c-ac11-47ef-8157-e3daa187eddb-image.png

    Fiirewall rules:
    ccf21016-d835-421f-880b-b155509b4ae7-image.png

    9453ce42-4a7c-4583-92a8-1dc593261258-image.png

    Wireguard config:
    e291c1b4-5773-498e-ad5a-45ff4aae05f6-image.png

    9188cec2-7aa6-496a-81ed-a6d6d72a1876-image.png

    4099758b-c63f-4a41-a8e6-f0148017e4ac-image.png

    A 1 Reply Last reply Feb 21, 2021, 1:33 PM Reply Quote 0
    • A
      AB5G @UniverseX
      last edited by Feb 21, 2021, 1:33 PM

      @universex nice name !

      You need a few things -

      • first assign an interface as per here - lets call it WG https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html

      • Move rules from your existing Wireguard group to this new interface - WG. Its important not to have any rules in the Wireguard group. https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html. Rules on the WireGuard group tab are matched first, so ensure rules on the group tab are removed, disabled, or do not match traffic which requires reply-to.

      • Goto System > Routing > Gateways // Select Default IPv4 GW as WAN_DHCP > don't leave it on auto

      • Lastly set a NAT rule to NAT pfsense LAN to the WG interface IP.

      d6eb22aa-17d4-41ad-b03f-05dc5dc66866-image.png

      U 1 Reply Last reply Feb 21, 2021, 5:48 PM Reply Quote 0
      • U
        UniverseX @AB5G
        last edited by UniverseX Feb 21, 2021, 5:52 PM Feb 21, 2021, 5:48 PM

        @ab5g thanks for the reply.

        I've done everything as advised, however still not working. Getting the same errors.

        3cec9932-f6db-4ef1-ae3c-ea8dd6c6aee1-image.png

        dc0e07cb-4e0b-4ccb-b6db-fe1bea31a0da-image.png

        02a7718d-5a05-4527-b6e3-b198b1984e43-image.png

        e2c9dbf6-69d0-42dd-9595-7383144a7ff9-image.png

        A 1 Reply Last reply Feb 22, 2021, 1:07 AM Reply Quote 0
        • M
          MikeV7896
          last edited by MikeV7896 Feb 21, 2021, 8:14 PM Feb 21, 2021, 7:56 PM

          Your settings look good to me... and I didn't add a NAT rule and it's working fine for me. I don't believe outbound NAT is necessary on the WG interface for a simple remote access VPN. I think NAT becomes an issue if you're trying to connect two networks to each other, or if you're using a VPN provider for internet access, since you have multiple devices whose traffic is going over the VPN as if it were a WAN connection.

          I did assign an interface, but had gotten it working before I assigned the interface. It worked fine before and after doing it though.

          My setting screenshots are below (I used a smaller /28 rather than /24 for IPv4). I didn't include firewall rules for the WG interface... the only one I have is an "Allow All", as well as the rule on WAN for port 51820.

          Also, you might want to restart Unbound if you're using that for DNS... I found that needed to be done in order for it to recognize DNS requests from my remote device. Or check your Unbound settings if you limit the interfaces that Unbound can accept connections from.

          wg-tunnel.png
          wg-peer.png
          wg-ios.JPG

          The S in IOT stands for Security

          U 1 Reply Last reply Feb 23, 2021, 10:12 AM Reply Quote 0
          • A
            AB5G @UniverseX
            last edited by Feb 22, 2021, 1:07 AM

            @universex You settings look ok.

            Please restart the wireguard tunnel by going to VPN>WireGuard>Tunnel - edit and then save. If that doesn't work try a tcpdump on

            • the wireguard interface like tcpdump -I wg0 host <destination you are pinging>
            • Next run the same tcpdump on WAN interface to see packets are going to the WAN interface.
            1 Reply Last reply Reply Quote 0
            • U
              UniverseX @MikeV7896
              last edited by Feb 23, 2021, 10:12 AM

              Thanks @virgiliomi, setting DNS to 10.6.210.1 has resolved the issue. Though I'm still seeing CLOSED:SYN_SENT against Transmission, but this I guess something else.

              1 Reply Last reply Reply Quote 0
              2 out of 6
              • First post
                2/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received