Unable to connect Wireguard from outside

Hi Everyone!

I started to dig into the new Wireguard option in pfSense and I’m running to a strange issue.

I followed both the official Netgate documentation and Tom’s Wireguard Dynamic Peers video. But I’m not able to get a client to connect from the outside. I’m testing with my phone as it’s the only device I can disconnect from my network to test an outside connection trying to come in.

After some additional tinkering I found that the connection worked perfectly when connecting from inside my network; however, any attempt at an external connection all result in these two log messages over and over again:

2021-03-01 20:45:09.441507: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-03-01 20:45:09.442018: [NET] peer([pfSense Pub Key]) - Sending handshake initiation
2021-03-01 20:45:14.608803: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 3)
2021-03-01 20:45:14.609427: [NET] peer([pfSense Pub Key]) - Sending handshake initiation
2021-03-01 20:45:19.897306: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 4)

It seems as if pfSense wasn’t allowing the traffic in for Wireguard’s key validation to occur.

This is my WAN rule to allow Wireguard in:

image1159×67 5.81 KB

And this is the the wg0 rule for the VPN traffic:

image1158×174 14.5 KB

As can be seen, at the moment they’re wide open, so I’m unsure what would be stopping Wireguard from completing the connection.

Has anyone else run into this or know what the issue might be?

Please let me know if there is any additional information I can provide. Thanks for any insight into what the issue could be!

Your WG 51820 port is showing 0/0 which means traffic is not reaching it from what ever device you are trying to connect to it.

Where in the logs would I be able to see if any traffic is being denied to the WAN? I’m afraid my knowledge of pfSense’s logs is somewhat limited.

Got to Status → System Logs → Firewall Logs
https://docs.netgate.com/pfsense/en/latest/monitoring/logs/firewall.html

should be ok with these rules. i have followed the tutorials of Mr. Tom implementing a site to site and also road warrior without any issues, just be careful what you typing. check everything again.

Thanks for the replies!

I ended up figuring it out and it was definitely me! I was using the wrong CIDRs on my IPs in the clients. Something to watch out for!

I got both split-tunnel and all-traffic tunnels working now. So happy to start experimenting!

I’m having exactly the same issue with pfSense 2.5.2 and Wireguard package 0.1.5. You mentioned you solved it by changing the CIRDrs on the IPs in the clients.

I am using 10.1.1.1/24 as the interface for the tunnel, and 10.1.1.2/32 for the iphone peer in the Wireguard package on pfSense. I then set the IP address in the Interface section of the Wireguard app on the iphone to 10.1.1.2/24.

I can activate the tunnel but get the same handshake error you showed in the original post.

Could you explain a little more about the CIDR error you found please and the change you made?

Just in case anyone finds this page through a Google search (as I did) the solution for me was to set up the WAN rule to allow traffic for port 51820 on the Firewall/NAT/Port Forward page on pfSense, not on the Firewall/Rules/WAN page. The resulting rule looks the same either way, but I could not get handshaking to work unless I created the WAN rule on the Firewall/NAT/Port Forward page.

I hope this might help others having the same problem.