Pfsense Driving me nuts on Wireguard

I’ve double, triple, quadruple checked all the settings to make a tunnel from my pfsense behind cgnat to my VPS machine, the cloud machine tunnel is up and running, checked nmap and the port is open but pfsense wont handshake it, I can’t figure out what’s causing that, does anyone have any clue what could be the reason or how to see why pfsense is not doing the handshake?

Edit: I’ve been using the vps to port forward the stuff for over a month but all of the sudden the machine had an issue and I created a new one with the same settings and here I am stuck.

Here some settings from the VPS


image
image

Pfsense:




No handshake is a key being wrong issue.

1 Like

Yesterday I started working on that issue in the morning and ended up fixing it today at 2AM :sweat_smile::sweat_smile::sweat_smile:

I found out with TCPDUMP that my pfsense was sending traffic, and the VPS was also sending traffic but the handshake wouldn’t happen.

It was when I added this line to the peer on the VPS that the things went back to normal:

I’m pretty sure that I wasn’t using that for the past month that I’ve been using wireguard to port forward behind CGNAT.

I even deleted my VPS machine like 4 times thinking that was the reason, when I added the public ip from my ISP (not the cgnat one) it made the handshake, so I could either use 0.0.0.0:51820 as the endpoint or a DDNS so only my “ISP Public IP” will be able to connect.

EDIT:

Just an improvement I just spin up a lxc container running this amazing Tool

It updates my public IP behind CGNAT and proxy it with cloudflare
image
Then I changed on the VPS peer so it would point to the DNS and it all worked fine !


In the wg show it updates to my IP automatically

Hello, I saw in your figure " Address = 10.69.69.1/24" that is wrong, because: It must be a valid CIDR
image

1 Like

What is invalid with this CIDR, it is perfectly fine I think.

a valid CIDR has zero at the end, 10.69.69.0/24

example: The host-part of the CIDR must be zero'ed. 
this is valid: 192.168.0.0/16 and this isn't: 192.168.2.123/16.

You have to put 10.69.69.1 because that’s the WG tunnel IP address for the VPS machine

1 Like
the [interface] expects one ip, the [Peer] expects a network

# /etc/wireguard/wg0.conf

[Interface]
Address = 10.69.69.1/32
ListenPort = 51821

[Peer]
AllowedIPs = 10.69.69.0/24
Endpoint = public-ip:51822
1 Like

The interface is the settings for the VPS peer, used to connect from a different device, and in my setup it’s using the 10.69.69.1/32 as it’s address.

The peer is my pfsense, which has the ip address of 10.69.69.2/32 because that’s the only IP address that I want to accept the connection to my VPS, I could put the whole subnet but I’m not going to connect to my VPS wireguard peer from a different device so I just put the 10.69.69.2/32 that is my Pfsense IP.

The whole reason that I wasnt being able to connect was the Endpoint line, on Tom video tutorial he doesn’t use that, after I added the handshake worked fine.