I have Wireguard installed in pfSense. When I attempt to access it from outside my home network, it doesn’t do the handshake. WG is configured to use port 51820. The firewall rule on the WAN interface says UDP port 51820 traffic should go to Wireguard.
One time, I forgot to disconnect my phone from WiFI before connecting wireguard. It connected that time leading me to believe the peer and tunnel themselves are configured properly and this is a firewall issue. But since the rules seem to allow it, I’m at a loss.
EDIT: I think I may have found the issue. Working on resolving it now. WIll post back if problems continue.
Unfortunately, it wasn’t what I thought it was (or possibly that was PART of the issue).
For the past year or so, I’ve been using Home Assistant and it has three add-ons that I was using to allow esternal access: duckdns, letsencrypt and NGINX.
When I attempted to connect to Home Assistant from outside the network, I realized that it couldn’t connect either. Then I realized: I rebuilt my HA server yesterday and forgot to setup letsencrypt on it. That was telling the letsencrypt cert service to allow traffic for my domain to come to my home router.
Once I realzied this, I installed ACME in pfSense and setup letsencrypt for the duckdns domain. Now when I attempt to connect to Home Assistant from outside, it lets me in. So I assume the certificate is being accepted. But when I attempt to connect my phone via wireguard, it doesn’t do the handshake.
It looks to me as though it’s not even a rules issue. I started a packet capture and then told Wireguard to connect. Attached is the resulting log (blank). And a screenshot showing the Android client that was attempting to connect – it shows that it sent 2.17KiB during its handshake attempts. It’s acting like pfSense never even saw the attempts.
Am I misunderstanding this or should I contact tech support for my ISP?
