I am having difficulty getting a wireguard handshake in pfsense and am not sure what I am doing wrong. Any help is super appreciated

Networking & Firewalls
1

I am trying to establish a wireguard tunnel between my phone and my pfsense, primarily for checking on a camera I host on my network but do not grant internet access.

I have double checked that the keys are correct (android public key is the same as the peer key in pfsense, and the peer public key in android is the same as the tunnel key in pfsense).

I use port 51822 in the android setup because 51820 and 51821 are in use from my 2 mullvad tunnel, as shown in the pfsense status screenshot below. I have created a failover interface, and it has worked well - the network will switch between whichever one is currently getting lower ping. If I change it to 51820, it still doesn’t work.

I can ping xxxxxx.duckdns.org, and it returns the correct address, but if I ping xxxxduckdnsorg:51820, or xxxxduckdnsorg:51822, I get no response. Is this typical, or possibly the source of my problem?

I’ve chosen 10.200.0.5 as the ip address I want the android device to use when it connects. I’ve also tried setting the endpoint to dynamic, but that didn’t help.

Outbound NAT is set to hybrid.

Am I missing something silly? I wonder if using a listen port other than 51820 is interfering.

Thank you in advance for any help with this.

image
image1920×954 146 KB

2

It looks like maybe you havent set up the keys for the handshake to complete. You have received 0 bytes from what I can tell. Check your public key set up for your peer and that you have the right information where it needs to go.

Also dont forget to check your wireguard firewall rules for an allow.

3

You can use NMAP to see if the port is open on your public IP as that is the first place to start
nmap -sU -p 51820 Your_Public_IP

4

Thank you for the idea of using NMAP!

Nmap done at Tue Apr 1 15:56:33 2025 – 1 IP address (1 host up) scanned in 0.17 seconds
Nmap 7.94 scan initiated Tue Apr 1 15:57:15 2025 as: /usr/local/bin/nmap -sS -p 51820 -oN /root/nmap.result --append-output xxx.xx.xx.xx
Nmap scan report for GFiberRouter (xxx.xx.xx.xx
Host is up (0.00029s latency).

PORT STATE SERVICE
51820/tcp closed unknown

So, if I’m reading that right, it means port 51820 is closed, but it may be closed on the google fiber router between pfsense and the internet. I will see if I can remove the google fiber router (so ONT straight to netgate device) and see if that works.