Testing WG correctness

chudak

Finally I setup wg server on 2.5.0 pfSense

And connected my iPhone to it.
Spent some time opening wg port.

However when I connect, my iPhone does not get the IP assigned as my pfsense external IP

What am I missing?

Thx

Slugger

• Is the AllowedIPs on your phone set to 0.0.0.0/0? This will force all your internet traffic thru the wg interface
• Is there a firewall rule on pfSense to allow the traffic in your wg interface and out your internet connection?

chudak

@slugger said in Testing WG correctness:

• Is the AllowedIPs on your phone set to 0.0.0.0/0? This will force all your internet traffic thru the wg interface

No it was not.
Did that and now do see the correct IP :)

• Is there a firewall rule on pfSense to allow the traffic in your wg interface and out your internet connection?

Here is what I have in rules see attached

Some boxes still not ping-able, need to test more

Thx !

chudak

@slugger

I am hoping you can help me resolving one remaining issue with WG.

In general it seems all working fine, I can connect from my iPhone and access all my resources. Except one - ubuntu box, it's a bit unusual as it's my buz laptop and usually is connected to 2 VPNs. I have no issues accessing it via OpenVPN client from the same iPhone.

WG interface IP X.X.X.1/24
I use Allowed IP on WG/pfsense. Such as X.X.X.2/32

On my iPhone I use:
Address: X.X.X.2/32
DNS servers: <pfsense IP>
Allowed IPs: 0.0.0.0/0 (as was suggested)

Note:
I can ping X.X.X.1/24 from any box, but the laptop in question.

Any clues appreciated !

Slugger

@chudak Too many variables and unknowns in this situation. Basic network troubleshooting is going to be required. If it's just the one box then I'd probably start on that box and do a tcpdump to see if the traffic is even reaching the laptop. If it is, then next step is to figure out why replies aren't making it back to the router, etc. If you're not seeing any traffic hit the laptop then continue up the chain to figure out where the traffic is getting lost then troubleshoot from there.

chudak

@slugger

I verified via tcpdump that traffic is reaching the laptop and I see actually in the FW logs that the traffic was passed for ICMP, TCP:S and UDP

I used ping and VNC client for testing, but ping comes back with time-out and VNC does not connect!

unsuccessful VNC via WG

XXX.50010 > <host:port>: Flags [S], cksum 0xcd44 (correct), seq 154163631, win 65535, options [mss 1220,nop,wscale 6,nop,nop,TS val 932818297 ecr 0,sackOK,eol], length 0

successful VNC via OpneVPN

YYY.50014 > <host:port>: Flags [.], cksum 0x5ea6 (correct), ack 2763002, win 3978, options [nop,nop,TS val 932853858 ecr 516576482], length 0

No clue what those flags mean ...

chudak

@slugger

So I know exactly whats going on.
As I said this laptop connects to two VPNs and creates two tunnels: tun0 and tun1

When it connects to tun1 it starts having issues letting WG access it.

I guess it's interesting why it's going on and how to control it, but I am happy it's clear what's going on.

I thought that by using on ubuntu option "Use this connection only for resources on its network" takes care of this issue, but maybe not (maybe a bug in WG or Ubuntu VPN :) ).

Definitely some difference between OpenVPN and WG

Thanks for your help !