Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense and Wireguard. Issues..... GRR

    Scheduled Pinned Locked Moved WireGuard
    11 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doni49
      last edited by

      If this keeps up, I'm gonna be bald soon -- pulling my hair out.

      I finally got Wireguard working in pfSense. But it was a fully open VPN. All traffic from the client went through the VPN. I wanted a SPLIT-TUNNEL and I want the VPN traffic to ONLY ACCESS to one of my VLANs (I have 3).

      So I made what I thought were the appropriate changes and it didn't work. :( Then when that didn't work, I tried to revert back to the way it was so that I'd at least have a decent starting point. Now it won't even work in fully open mode.

      I then started over by deleting the tunnel, interface and peers and can't get it working. Just to be sure, it didn't retain one of the settings that is causing this, I went into the Wireguard Settings and turned off the option to Keep Configuration (With 'Keep Configurations' enabled (default), all tunnel configurations and package settings will persist on install/de-install).

      When that didn't work, I deleted it all again and this time uninstalled the Package too. When I went to reinstall the Package, the "available packages" was completely blank. When I tried to search for Wireguard, it found nothing.

      After seeing that, I rebooted it thinking maybe they'd appear after rebooting. When it was done rebooting, the Available Packages tab was still blank and searching found nothing. I then restored from backup (this is a VM on proxmox) from before the package was uninstalled and rebooted again. When it rebooted, there was no change.

      My head hurts!

      D 1 Reply Last reply Reply Quote 0
      • D
        doni49 @doni49
        last edited by

        @doni49

        I ended up running a backup of everything except the installed packages (WG was the only package I had installed) and spinning up a new VM for pfSense. After it was up and running, I restored the backup. It's working fine now -- still can't get WG to function properly though. As of right now, I've got the firewall rule set to allow ALL VPN TRAFFIC to access the entire network unrestricted. I figured that once I get that working, I'd pare it down to be as restrictive as I need.

        But even though the phone successfully performs the handshake(s), it won't allow any traffic. I can't browse the internet or access facilities that are behind the VPN. :(

        J D 2 Replies Last reply Reply Quote 0
        • J
          Jarhead @doni49
          last edited by

          @doni49 Are you just venting or do you want some help??
          If you want help, maybe you should provide some info?
          Post screenshots of your config.

          1 Reply Last reply Reply Quote 0
          • D
            doni49 @doni49
            last edited by

            @doni49
            I was going to post screenshots to ask for help but had to deal with a phone call from the boss.

            Here are all the screenshots that I thought would be useful.

            Screenshots

            D J 2 Replies Last reply Reply Quote 0
            • D
              doni49 @doni49
              last edited by

              As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.

              J 1 Reply Last reply Reply Quote 0
              • J
                Jarhead @doni49
                last edited by

                @doni49 Your client looks good but you need to fix the peer config.
                10.1.90.0/32 isn't gonna get anything done.
                And add 0.0.0.0/0 to it also. The 10.1.90 is the tunnel, you need the network beyond the tunnel too.

                1 Reply Last reply Reply Quote 0
                • J
                  Jarhead @doni49
                  last edited by

                  @doni49 said in pfSense and Wireguard. Issues..... GRR:

                  As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.

                  You posted as I was typing, not sure where you saw 10.1.90.1/32, I see 10.1.90.0/32. You're still wrong either way, you want 10.1.90.101/32. Plus the 0.0.0.0/0.

                  D 1 Reply Last reply Reply Quote 1
                  • D
                    doni49 @Jarhead
                    last edited by

                    @Jarhead said in pfSense and Wireguard. Issues..... GRR:

                    @doni49 said in pfSense and Wireguard. Issues..... GRR:

                    As I continue to troubleshoot this, I realized that I had entered 10.1.90.1/32 in the tunnel instead of 10.1.90.1/24. I made that change and unfortunately, it hasn't gotten any better.

                    You posted as I was typing, not sure where you saw 10.1.90.1/32, I see 10.1.90.0/32. You're still wrong either way, you want 10.1.90.101/32. Plus the 0.0.0.0/0.
                    I saw it under the interface (the simplest way I can think to describe is to tell you I click on Interfaces>Assignment>WG. At the bottom of that page, it had 10.1.90.1/32. I changed that 10.1.90.1/24. I'll try changing the peer to 10.1.90.101/32 & 0.0.0.0/0.

                    I'll post back with the results. Thanks for the assistance.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      doni49 @doni49
                      last edited by

                      @doni49
                      OMG! That was it! Now to save a backup and move on to getting split tunnel working and limiting VPN access to the 10.1.20.1/24 network.

                      Thank you!

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        Jarhead @doni49
                        last edited by

                        @doni49 You don't have to guess. All of this is very much documented.
                        I have to say this is one of the weirdest threads I've ever come across. Instead of pulling your hair out, just read.

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          doni49 @Jarhead
                          last edited by doni49

                          @Jarhead
                          Yeah. I get it. I've read some conflicting info while researching this along with some videos that contradicted some of what I saw. I've gone down so many rabbit holes that I lost track of what I had and had not tried.

                          That and not noticing my typo (32 vs 24) didn't help.

                          But thanks.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.