Wireguard clients issue

Hello

I am not a network engineer by any means.
But i was able to setup a oracle cloud account and spin up a VM.
Installed wireguard and using wgquick get few clients setup.

wg-server @ oracle cloud (10.66.66.1)
client1 @ pfsense at home (10.66.66.3)
client2 @ iphone (10.66.66.2)
client3 @ laptop

i am able to ping all clients from the server side and vice versa, but client to client ping is not working and also unable to access any services on my home network.

i am able to use the oracle wg as a VPN and access the internet with oracle IP as public address.

My issues -

• want to access local services on the home network using wg on oracle server

Please let me know how to fix it

I require this setup because one of the ISP i have does not give public IP (behind NAT) and thus have to keep a outbound open connection so that other devices can connect to home network on the go.

iptables @ server

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51821
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
InstanceServices  all  --  anywhere             link-local/16

May very well be a routing issue. If you want to route traffic from one peer (client3) through another peer (wg-server) into a network behind a third peer (client1) and back, there is a bit of config needed.

For a start, the Wireguard configs need the correct AllowedIPs entry. Then, you need to configure the host “client1” to allow incoming connections on the Wireguard interface from the tunnel subnet to the local networks you want to access. You also need to make sure that the routes for the responses are in place.

Could you provide the Wireguard configs (redact the keys) for wg-server, client1 and client3, please?

Paolo is right, this is most likely a routing issue that can be fixed by allowIP on both ends. Make sure your LAN subnets are in the allowIP on the wg-server and the server LAN subnets are in the pfsense allowIP list.

I think in pfsense I may have had to add the remote subnets in as static routes, but that doesn’t seem right now that I think about it. Maybe somebody could correct me if I am wrong?

Also, before you are done with this I would look to tighten up your forwarding rules.

interface config

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51821
PrivateKey = XXX
PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

### Client pfsense
[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128

### Client iphone14
[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

### Client ipad
[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 10.66.66.4/32,fd42:42:42::4/128

### Client macbookair
[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 10.66.66.5/32,fd42:42:42::5/128

### Client galaxyS8
[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 10.66.66.6/32,fd42:42:42::6/128

###client - pfsense###

[Interface]
PrivateKey = xxx
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 1.1.1.1,1.0.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = public_IP:51821
AllowedIPs = 0.0.0.0/0,::/0

###client - phone

[Interface]
PrivateKey = xxx
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 1.1.1.1,1.0.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = public_IP:51821
AllowedIPs = 0.0.0.0/0,::/0

in pfsense firewall rules i have allowed all * * * * * for the wireguard interface

Capture1234×190 23 KB

hello

there are no static routes defined as of now.

the forwarding rules are stock rules of the oracle cloud VM, I have not made any changes…
please let me know what needs to change…

Ok, this is what I’m getting from this. Let’s say you want to connect from the phone via the sever to the network behind pfSense, which is 192.168.1.0/24. The AllowedIPs = 0.0.0.0/0,::/0 on the phone config does two things: It configures the tunnel to allow traffic to anywhere to be sent to the server peer and it configures the OS to actually route the traffic there. Now that the server has received the traffic, it must forward it to the pfSense peer. However, from the config, the server does not seem to have a route for 192.168.1.0/24. At the very least, you need to add this network to the AllowedIPs of the pfSense peer section on the server config. I don’t know if that also automatically creates the appropriate route on the server, if not you have to add that too.

When that traffic reaches a host in the local network of the pfSense, it will have a source address of 10.66.66.2. Assuming the pfSense is the default gateway for this host, verify that there is a route to the source via the server.

Another issue might be that when the server eventually tries to forward the traffic to pfSense, there isn’t a connection established because there is no endpoint to initiate a connection from the server and there is no keepalive on the pfSense.

I vote with paolo again. Looks like you need to setup routing in your wg.conf file via ipallow. For reference my server’s config is below.

AllowedIPs=10.0.222.5, 10.0.39.0/24, 10.0.40.0/24, 10.0.38.0/24, 10.0.30.0/24

On the pfsesnse side I had to add static routes for my server’s LAN subnets. That was odd and I could be wrong on that one, but I don’t want to mess around with it right now. Just make sure your subnets don’t overlap.

One thing I would suggest is to separate your iptables from your wg config. Before I switched to nftables I liked using iptables-persistent, and then saving my config in a text file. Working with one text file was a lot cleaner than messing around with scripts or configs that added/changed rules in other places. Text file reads like a book, is easy to comment and backup. At least it was easier for me.

@paolo @liquidjoe
thanks a lot for the detailed analysis…
but as i said i am not a network engineer…but i can follow instructions regarding setting this up…

so from the above post what i understand is

1. have to add my home network ip subnet (192.168.1.0/24) to my peer allowedIP list along with 0.0.0.0
2. add static route in the wg server config on oracle VM
3. add static route in the pfsense firewall to direct traffic to internal network
4. seperate iptables from wg config

let me know if my understanding is in right direction.

last 3 points i actually dont know how to get it done…a step by step instructions will be life saving.

I’ve been where you are at - we all have. I spent a lot of time figuring this stuff out. Good knowledge takes time, don’t skip past the learning process just to get a project done. If you value the end result over the learning process, then hire Tom to get it done. That’s my $0.02 sermon for the morning.

Your oracle vm doesn’t need static routes. I imagine that is ubuntu or something. The AllowIPs you configure are the static routes. By doing that you just need to tell that router (your oracle vm basically) how to route to x.y.z subnets behind your pfsense router. The flip-side for your pfsense box. But with pfsense you also need to setup static routes. I tested that today to confirm it again. This is odd but it does look like it is required in pfsense.

I only forward all my traffic with the 0.0.0.0 config for my phone and laptop. You could do this with a point to point setup, but I don’t.

Separating the iptables config is just my personal preference. There are just as many people who don’t do that. I would encourage you to spend a good amount of time playing with the iptables config (or better yet migrating to nftables). This stuff isn’t rocket science, but it does take some time learning the syntax. And if you don’t know basic networking you got to learn that too. If you don’t enjoy learning this stuff then please hire Tom. You can study what he did and get the gist of it in 20 minutes instead of 10 hours.

Hello,
i definitely want to learn something new in networking…
just afraid that i may break more things than make them working…

so first change would be to add home network subnet in the pfsense peer config

in pfsense…
i have created a gateway and interface for oracleVM_WG

static routing menu has following options
destination network = 10.66.66.0/24
gateway = oracle wireguard

i hope these are the correct settings

GATEWAY SETTINGS FOR PFSENSE

1Capture1872×398 64.5 KB

STATIC ROUTE SETTINGS FOR PFSENSE

2Capture1934×298 39 KB

INTERFACE SETTINGS FOR PFSENSE

3Capture2019×1717 284 KB

WIREGUARD PEER SETTINGS FOR PFSENSE

4Capture1922×1723 225 KB

Hello

so i added 192.168.1.0/24 to both iphone and pfsense config in allowedIPs… now i am able to ping my phone from my desktop behind the pfsense… but with few timeouts… dont know why…

but now how to access services behind the pfsense on iphone…
i am running few services like http, synology NAS, freepbx and others…

can you guys please point me in the right direction…

for your information:-
i have a wg server running on pfsense and another wg server is running on oracle VM. pfsense is acting as a client for the oracle wg server.

i require these two as when one ISP with direct public IP is down i have to rely on the other ISP which does not give me a public IP to connect to my home network.

This is indeed the intended behavior. The Wireguard service and other tunnels are, in and of themselves, not related to the routing table of the system they are running on. Some clients may automatically add routes if they have the necessary priviliges, either for convenience (e.g. Windows) or because the user wouldn’t have any other way of doing it (e.g. Android). I would imagine that for the pfSense client, maximum control and flexibility were the goals, so it makes sense to leave it up to the admin to set the routes - or not set them.

Another thing to be aware of is that when Wireguard encapsulation adds overhead to packets. Therefore you should lower the MTU of the Wireguard interfaces on all peers to 1280.

Adding the 192.168.1.0/24 is superfluous as it is contained in 0.0.0.0/0 already.

The dropped pings sound like a routing issue. Can you ping from a PC through the oracle VM, through pfsesnse, and the freepbx server? I’d set this up on a laptop first.

On your oracle vm I would not set 0.0.0.0 in the AllowIP. Just include the pfsense subntes and the wireguard subnet.

On the oracle vm & pfsense, can you see the all the routes? Run “ip route”. Should see something like,

10.0.30.0/24 dev wg0 scope link
10.0.38.0/24 dev wg0 scope link
10.0.39.0/24 dev wg0 scope link
10.0.40.0/24 dev wg0 scope link
10.0.222.0/24 dev wg0 proto kernel scope link src 10.0.222.1

so my network setup is something like this…

oracle VM------internet-------myISP-------pfsense firewall--------desktopPC/freepbx/synology NAS (192.168.1.0/24)

even i agree, 0.0.0.0 should also include all other ip ranges including 192.168.1.0/24 but in real life if i do not include LAN subnet i am not able to do client to client pings

oracle VM ip route

ubuntu@webhost:~$ ip route
default via 10.0.0.1 dev ens3
default via 10.0.0.1 dev ens3 proto dhcp src 10.0.0.224 metric 100
10.0.0.0/24 dev ens3 proto kernel scope link src 10.0.0.224 metric 100
10.0.0.1 dev ens3 proto dhcp scope link src 10.0.0.224 metric 100
10.66.66.0/24 dev wg0 proto kernel scope link src 10.66.66.1
169.254.0.0/16 dev ens3 scope link
169.254.0.0/16 dev ens3 proto dhcp scope link src 10.0.0.224 metric 100
169.254.169.254 via 10.0.0.1 dev ens3 proto dhcp src 10.0.0.224 metric 100

pfsense route list

5Capture1830×1528 199 KB

That is what I thought your route would look like. With 0.0.0 you have replaced your default route on your oracle vm to that of the wg interface. That is probably breaking a number of things, especially if you want the oracle vm to be your bridge connecting your remote stuff to your pfsense LAN.

Your ubuntu wg routes should look like this. One big exception, my wg server is not running on my router (for security), so the default route is to a LAN gateway (192.168.4.1). Yours should list your oracle WAN IP.

default via 192.168.4.1 dev host0 proto dhcp src 192.168.4.2 metric 1024
10.0.30.0/24 dev wg0 scope link
10.0.38.0/24 dev wg0 scope link
10.0.39.0/24 dev wg0 scope link
10.0.40.0/24 dev wg0 scope link
10.0.222.0/24 dev wg0 proto kernel scope link src 10.0.222.1

To achieve this you probably only need this on your wg server. Routing from pfsense probably only needs 10.0.0.0/24 given that all remote endpoints are basically in the wg subnet (no remote subnet routes to think about).

AllowedIPs=10.0.0.0/24, 192.168.1.0/24

Once you have done all this test a ping from: laptop-----oracle VM------internet-------myISP-------pfsense firewall--------desktopPC/freepbx/