pfSense WireGuard and the the Android Client

sigma

Since 23.05 the Wireguard Package is availlable for Download.
I tried now since a while to configure a setup for accessing the network with the android client of WireGuard. Until now I have no success. I tried to combine different setup examples found on the net but it don't works. In the android app protocol I get "Handshake did not complete after 5 seconds"

Does anybody have a working config with WireGuard on pfSense and the android client and can show here a sample config of the pfsense and the android client? I'll try again, and if I get it to work I'll send a example config here.
Thanks for helping.

Bob.Dig

@sigma How about you show your not working config, it is much more fun this way.

sigma

@Bob-Dig
I'll do this this evening or tomorrow.

I think there's a missmatch with the public Keys and / or ip addresses. Maybe I try first to fix it. If it works or not I'll provide the screen shots here.

sigma

It is sold and works now. The problem was a Key missmatch I guessed. Here my Settings.

pfSense configuration:

General Settings:

Tunnel Setting:

Peer Setting:

WireGuard Roule(s):

WAN Roule:

Key1: Public Key from Tunnel Setting pfSense
Key2: Public Key From Client (here Android).
Key3: Preshared Key: optional

Now the Android Client Settings:

sigma

Tunnel Subnet is:

10.6.210.0/24

The IP-Adress 10.6.210.1 must be entered ind the Wireguard Interface (here OPT20). This interface must be Assigned.

All other Addresses 10.6.210.2 - 10.6.210.254 are for the peers

No firewall roules are needed for the interface. Only roules for the WireGuard Group (see post before).

Bob.Dig

@sigma said in pfSense WireGuard and the the Android Client:

WAN Roule:

Better chose "WAN address" instead of "This firewall (self)", especially on WAN.

sigma

@Bob-Dig
Ok Thanks for the hin. I think a security reason. But Why? What's the difference?

Bob.Dig

@sigma said in pfSense WireGuard and the the Android Client:

What's the difference?

One is only the WAN-address, the other is every interface pfSense has to offer. So no need to use the latter in a WAN-rule.

sigma

@Bob-Dig
Ok, that make sense. I change all "this firewall" to the wan devices for which the roule is needed. I have 3 WAN devices (10Gbit Fiber, DSL and 5G Backup). On the 2 wired I have VPN roules (OpenVPN and Wireguard). And then are there some LAN Subnets some with VLAN's some direkt interfaces on the appliance. In the meantime the whole thing is a bit complex for a home firewall ;). I expect a 25Gbit's also synchronous internet connection this year and so I channged from a virtual pfSense to an appliance which is much more performant. With this lines I can do some interesting tests with VPN, so I heards from WireGuard and now I'll test it.

With wireguard I also found out that it seems to have problems to resove internal DNS names. I provide the internal DNS server in the DNS files of wirequard config. But it seems not to work. So local SMB shares could not be connected by their names over the WireGuard VPN. But it works fine with OpenVPN. Connect SMP shares with ip address works fine. I saw here some posts with the same problem. I'll have a look to this postings later. At the moment it's ok, WireGuard basically works and I can do some speedtests.

Bob.Dig

@sigma said in pfSense WireGuard and the the Android Client:

With wireguard I also found out that it seems to have problems to resove internal DNS names. I provide the internal DNS server in the DNS files of wirequard config. But it seems not to work.

Working fine here. Try 10.6.210.1 as DNS-server.

sigma

@Bob-Dig
The tunnel Gateway as DNS? I try it.

sigma

@Bob-Dig
Don't works. The firewall don't knows the dns names, so i normaly use the AD server as DNS server, so all internal hosts could be resolved. But WireGuard works not this way.
I made now 2 host overrides in the DNS Forwarder and now the hosts will be recogniced. But I think it also should go the other way round.

sigma

This post is deleted!