Cannot connect to LAN devices from Wireguard VPN

ben9090 · Aug 9, 2022, 8:49 PM

I have been working on this issue for a couple of days and wanted to come here for some help as I am new to PFSense.

I have set up Wireguard and OpenVPN VPN's and have the same issue on both. I have followed multiple Wireguard walkthroughs but cannot get them to work for me. I have no issue connecting to either VPN but I cannot ping devices on the LAN network (192.168.0.0/24) except for the IP of the PFSense (192.168.0.1).
I can also ping my client (windows PC) from a server on the remote network. So it looks like it is only going one way. My rules look to be correct from what I have seen in tutorials.

I will attach images of most of my configuration.

Here is my Wireguard client config:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxx
ListenPort = 51820
Address = 10.200.0.5/24
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxxxx
AllowedIPs = 10.200.0.0/24, 192.168.0.0/24
Endpoint = [ddnsdomain]:51820

Jarhead · Aug 9, 2022, 10:32 PM

@ben9090 That top rule on your wireguard interface is useless because right below it you allow all on lan.
Same on the VGA_VPN interface.

You don't show your WG settings but if you have "Interface Group Membership" set to Only Unassigned Tunnels" (which I think is default but can't remember for sure) you don't need any rules on the WG interface since you assigned an interface to the tunnel.
It's only using the actual interface (VGA_VPN) for rules.

Set the destination as WAN Address for your wireguard port through WAN.
Set MTU and MSS to 1420 on wg interface.

Your client Interface address should be a /32 not /24.

Your bottom LAN rule is not neccessary as everything "not allowed" is already blocked.

In Services/DNS resolver/ ACL, is there a Wireguard ACL created?

EDIT: Forgot, your routes are all screwy, the interface for that subnet should be the WG interface, not the .5 address, try restarting the tunnel to see if it corrects itself.

EDIT2: 3 hours sleep since 5am yesterday.... A bit fuzzy to say the least.

You're doing a remote access wireguard, delete the interface, assign the 10.200.0.1/24 to the wireguard tunnel. Make sure the ACL is there and you'll be good.
All the rest in my original post still applies.

ben9090 · Aug 10, 2022, 5:04 PM

@jarhead Thanks for the quick reply and sorry for my late one!

I completed those steps and I can now access the servers file share as well being able to RDP into RDS servers. One thing that is still slightly weird is that I cant ping anything on that LAN network still. But I have everything else working so I'm at least happy with that.

Thanks!

Jarhead · Aug 10, 2022, 5:04 PM

@ben9090 Can't ping anything? aren't the file servers on that network?Any software firewalls blocking it?

ben9090 · Aug 10, 2022, 7:49 PM

@jarhead They have a fileserver with an IP of 192.168.0.13 as well as a good number of other devices and I cannot ping any of them when on the VPN. If I am connected to the file server, I can ping everything on the network including my VPN client. Not sure if its a firewall issue or not on the PFSense side. I did turn the Windows firewall off on a couple of devices, firewall included to see if that was blocking it but it wasn't.

Jarhead · Aug 10, 2022, 10:07 PM

@ben9090 Good that it's working but if you want to troubleshoot the pings, do packet captures on all relevant ports to see where they're getting lost.