pfSense and Wireguard. Issues..... GRR
-
If this keeps up, I'm gonna be bald soon -- pulling my hair out.
I finally got Wireguard working in pfSense. But it was a fully open VPN. All traffic from the client went through the VPN. I wanted a SPLIT-TUNNEL and I want the VPN traffic to ONLY ACCESS to one of my VLANs (I have 3).
So I made what I thought were the appropriate changes and it didn't work. :( Then when that didn't work, I tried to revert back to the way it was so that I'd at least have a decent starting point. Now it won't even work in fully open mode.
I then started over by deleting the tunnel, interface and peers and can't get it working. Just to be sure, it didn't retain one of the settings that is causing this, I went into the Wireguard Settings and turned off the option to Keep Configuration (With 'Keep Configurations' enabled (default), all tunnel configurations and package settings will persist on install/de-install).
When that didn't work, I deleted it all again and this time uninstalled the Package too. When I went to reinstall the Package, the "available packages" was completely blank. When I tried to search for Wireguard, it found nothing.
After seeing that, I rebooted it thinking maybe they'd appear after rebooting. When it was done rebooting, the Available Packages tab was still blank and searching found nothing. I then restored from backup (this is a VM on proxmox) from before the package was uninstalled and rebooted again. When it rebooted, there was no change.
My head hurts!
-
I ended up running a backup of everything except the installed packages (WG was the only package I had installed) and spinning up a new VM for pfSense. After it was up and running, I restored the backup. It's working fine now -- still can't get WG to function properly though. As of right now, I've got the firewall rule set to allow ALL VPN TRAFFIC to access the entire network unrestricted. I figured that once I get that working, I'd pare it down to be as restrictive as I need.
But even though the phone successfully performs the handshake(s), it won't allow any traffic. I can't browse the internet or access facilities that are behind the VPN. :(
-
@doni49 Are you just venting or do you want some help??
If you want help, maybe you should provide some info?
Post screenshots of your config. -
@doni49
I was going to post screenshots to ask for help but had to deal with a phone call from the boss.Here are all the screenshots that I thought would be useful.
-
As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.
-
@doni49 Your client looks good but you need to fix the peer config.
10.1.90.0/32 isn't gonna get anything done.
And add 0.0.0.0/0 to it also. The 10.1.90 is the tunnel, you need the network beyond the tunnel too. -
@doni49 said in pfSense and Wireguard. Issues..... GRR:
As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.
You posted as I was typing, not sure where you saw 10.1.90.1/32, I see 10.1.90.0/32. You're still wrong either way, you want 10.1.90.101/32. Plus the 0.0.0.0/0.
-
@Jarhead said in pfSense and Wireguard. Issues..... GRR:
@doni49 said in pfSense and Wireguard. Issues..... GRR:
As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.
You posted as I was typing, not sure where you saw 10.1.90.1/32, I see 10.1.90.0/32. You're still wrong either way, you want 10.1.90.101/32. Plus the 0.0.0.0/0.
I saw it under the interface (the simplest way I can think to describe is to tell you I click on Interfaces>Assignment>WG. At the bottom of that page, it had 10.1.90.1/32. I changed that 10.1.90.1/24. I'll try changing the peer to 10.1.90.101/32 & 0.0.0.0/0.I'll post back with the results. Thanks for the assistance.
-
@doni49
OMG! That was it! Now to save a backup and move on to getting split tunnel working and limiting VPN access to the 10.1.20.1/24 network.Thank you!
-
@doni49 You don't have to guess. All of this is very much documented.
I have to say this is one of the weirdest threads I've ever come across. Instead of pulling your hair out, just read. -
@Jarhead
Yeah. I get it. I've read some conflicting info while researching this along with some videos that contradicted some of what I saw. I've gone down so many rabbit holes that I lost track of what I had and had not tried.That and not noticing my typo (32 vs 24) didn't help.
But thanks.
