One tunnel for remote access
-
Need assistance with getting wireguard to work on my pfsense. Where did I go wrong? I have my tunnel, peers, WAN rules, Wireguard rules, and general wireguard settings. Any ideas?
-
@korr2221 On the WAN rules, leave the source port range as default (any), not 51820. Destination port is 51820.
-
@bigsy Good eye. So I changed the source port to any and destination port to 51820. Same thing, no handshake in the status.
-
@korr2221 I think you can't assign allowed-ips to the same network as the interface address on your tunnel.
-
@thebabufrik I'm using the 192.168.1.x range for my main network.
-
@thebabufrik got it to connect but now I can't reach my other devices.
-
@korr2221 change allowed-ips with 0.0.0.0/0, can you reach your other devices?
-
I followed this guide: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html
Its working perfectly, I can access all the networks I have in my .conf file.
Using the SPIT tunnel method.Note that only full tunnel needs outbound NAT and 0.0.0.0/0 in allowed-ips.
-
@thebabufrik tried, no luck.
-
@thebabufrik yeah I tried both split and full tunnel :( and I followed the same thing. I have no idea where I could have gone wrong. I just upgraded wireguard on it and now that interface with the handshake is no longer there.
-
@korr2221 said in One tunnel for remote access:
@thebabufrik yeah I tried both split and full tunnel :( and I followed the same thing. I have no idea where I could have gone wrong. I just upgraded wireguard on it and now that interface with the handshake is no longer there.
double check the keys in pfsense and in the client.. maybe regenerate them and reapply ?
-
@mcury I did. I mean it's green and the handshake is successful for a reason I think? Going to retry but I think it's something with the firewall or routing. Do I need to create static routing so I can see my LAN on the other subnet for me to see it?
-
@korr2221 said in One tunnel for remote access:
@mcury I did. I mean it's green and the handshake is successful for a reason I think? Going to retry but I think it's something with the firewall or routing. Do I need to create static routing so I can see my LAN on the other subnet for me to see it?
No, no static route required.
Follows my configuration:
Firewall WAN rule:
Wireguard allow rule:
Tunnel setup:
Peer setup:
Wireguard app in my phone:
-
@korr2221 the weirdest thing ever. So I reinstalled WG twice, and all i did was change the order of the allowed IPs. Where I would put 0.0.0.0/0 in the middle. Suddenly it works now.
-
@korr2221 said in One tunnel for remote access:
@korr2221 the weirdest thing ever. So I reinstalled WG twice, and all i did was change the order of the allowed IPs. Where I would put 0.0.0.0/0 in the middle. Suddenly it works now.
Weird indeed.. full tunnel is that you want? If so, you need an outbound NAT as well.
Only 0.0.0.0/0 won't work. -
@mcury i didn't really need full tunnel, but for whatever reason that made it work adding the 0.0.0.0/0 scope. Can someone explain? LOL.
I know I needed to adjust the NAT if I want full tunnel. But at this point it works and I am happy.
Just checked my NAT settings, ZERO NAT rules. No idea what's going on.
-
@korr2221 said in One tunnel for remote access:
@mcury i didn't really need full tunnel, but for whatever reason that made it work adding the 0.0.0.0/0 scope. Can someone explain? LOL
0.0.0.0/0 will route everything that is connected to wireguard through the tunnel, including internet access, but you would also need an outbound NAT created.
Split tunnel (0.0.0.0/0 not included in allowed-ips) you will only gain access to the networks included in allowed-ips.
Full tunnel (0.0.0.0/0 included in allowed-ips), wireguard connections will be routed to the internet as well. -
@mcury just realized my LAN works but can't access public sites. It works without the 0.0.0.0/0 I'm guessing adding it in the middle did something and now it works like it's supposed to. But still having trouble with public sites. Odd...
-
@korr2221 nevermind. Changed my DNS from comcast to 1.1.1.1 now all is working normally. WHAT? :3
-
@korr2221 said in One tunnel for remote access:
@mcury just realized my LAN works but can't access public sites. It works without the 0.0.0.0/0 I'm guessing adding it in the middle did something and now it works like it's supposed to. But still having trouble with public sites. Odd...
Do you want to use the Internet from pfsense while connected to wireguard?
Or the phone Internet?
