Newb needs help with Wireguard (remote access)

Mark_K · June 17, 2022, 5:59pm

Hello. I’m new to pfSense and am utterly failing at setting up Wireguard. I’m following the tutorials by Tom (https://youtu.be/8jQ5UE_7xds), Christian McDonald (https://youtu.be/bCNnP8FDSNA) and WunderTech (https://youtu.be/MZf2rOnQ4jc). With occasional deviations, they all seem to provide the same recipe.

Internet comes on an AT&T fiber BGW-320. The public IP is 99.35.xx.yy which the BGW presents to pfSense as 172.16.1.1. The local Network from pfSense is 192.168.1.0/24. The Wireguard Network is 10.15.1.0/24.

I’ve tried Android and Windows peers but the handshake never occurs. I would appreciate it greatly if anyone would look at my configuration and tell me if I have some fatal error in the way I have set it up. Thank you!

tbuyvoets · June 17, 2022, 6:34pm

Is the bgw in bridge mode? Or did you nat the traffic for port 51820 on the bgw to the pfsense address 172.16.1.5?

If the traffic is not natted to te pfsense the port 51820 will be closed on your bgw.

This is a guide how to port forward on a bgw.

Mark_K · June 17, 2022, 7:03pm

Thank you for replying. Yes. I believe I did. This is what the BGW has:

I should have mentioned that I have a vanilla consumer Netgear router (replaced by pfSense). I can still swap it in for testing and it successfully forwards port 51820 to an rPi running piVPN.

Mark_K · June 19, 2022, 5:49pm

I figured it out. Looking at my own quote above, it became apparent to me that I was not properly bridging (technically “IP Passthrough” on the BGW320) the WAN IP to pfSense. pfSense should have been seeing the 99.35.xx.yy address. Turns out that I had an error in the MAC address in the BGW configuration that resulted in NAT.

Once I fixed that, everything worked!