I started to dig into the new Wireguard option in pfSense and I’m running to a strange issue.
I followed both the official Netgate documentation and Tom’s Wireguard Dynamic Peers video. But I’m not able to get a client to connect from the outside. I’m testing with my phone as it’s the only device I can disconnect from my network to test an outside connection trying to come in.
After some additional tinkering I found that the connection worked perfectly when connecting from inside my network; however, any attempt at an external connection all result in these two log messages over and over again:
2021-03-01 20:45:09.441507: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-03-01 20:45:09.442018: [NET] peer([pfSense Pub Key]) - Sending handshake initiation
2021-03-01 20:45:14.608803: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 3)
2021-03-01 20:45:14.609427: [NET] peer([pfSense Pub Key]) - Sending handshake initiation
2021-03-01 20:45:19.897306: [NET] peer([pfSense Pub Key]) - Handshake did not complete after 5 seconds, retrying (try 4)
It seems as if pfSense wasn’t allowing the traffic in for Wireguard’s key validation to occur.
should be ok with these rules. i have followed the tutorials of Mr. Tom implementing a site to site and also road warrior without any issues, just be careful what you typing. check everything again.
I’m having exactly the same issue with pfSense 2.5.2 and Wireguard package 0.1.5. You mentioned you solved it by changing the CIRDrs on the IPs in the clients.
I am using 10.1.1.1/24 as the interface for the tunnel, and 10.1.1.2/32 for the iphone peer in the Wireguard package on pfSense. I then set the IP address in the Interface section of the Wireguard app on the iphone to 10.1.1.2/24.
I can activate the tunnel but get the same handshake error you showed in the original post.
Could you explain a little more about the CIDR error you found please and the change you made?
Just in case anyone finds this page through a Google search (as I did) the solution for me was to set up the WAN rule to allow traffic for port 51820 on the Firewall/NAT/Port Forward page on pfSense, not on the Firewall/Rules/WAN page. The resulting rule looks the same either way, but I could not get handshaking to work unless I created the WAN rule on the Firewall/NAT/Port Forward page.
I hope this might help others having the same problem.