I’ve hit a wall with a weird Wireguard issue. I’m trying to connect my phone (over cell) to my home router using wireguard and it will not connect.
The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.
I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.
I’m really at a loss as to where to go next.
Edit 2: I completely blew out the config on both sides and rebuilt it from scratch, using a different UDP port, and it all appears to be working now. Thanks for everyone’s help in tracking this down.
Edit: It was requested I provide my configs.
####################################################
# Interface settings, not used by `wg` #
# Only used for reference and detection of changes #
# in the configuration #
####################################################
# Address = 172.31.254.1/24
# DNS =
# MTU =
# disableroutes = 0
# gateway =
[Interface]
PrivateKey =
ListenPort = 51821
[Peer]
# friendly_name = note20
PublicKey =
AllowedIPs = 172.31.254.100/32
[Interface]
Address = 172.31.254.100/32
PrivateKey =
[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = :51821
PublicKey =
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Is wireguard hosted on opnsense, or an internal device that the port is being forwarded to?
If it’s on opnsense, be sure you route outgoing traffic on that port over the correct gateway, possibly even an extra rule to be sure the proper reply-to is set. Opnsense used to do the gateway routing configuration automatically, but once wg got added to the kernel, you’re now required to manually specify the gateway in your rules for it to work properly.
Also, if you see zero packets, then as others mentioned, try a different mtu. Some service providers (mobile, and even hotels) try to block all VPN traffic altogether and they do this by measuring the mtu of the packets. A little tweaking might get it to work, although I’d expect this to have held true for the VPS too, honestly.
I didn’t think about MTU. I’ll do some research and testing on this today.
This is why I’m struggling. Every test I do is successful, by all rights this should be working. Phone to VPS, GOOD. VPS to opnsense, GOOD. Phone to VPS, BAD. Can I see packets from the phone to opnsense, YES, unless it’s wireguard.
I’ll experiment with MTU and see if that bears and fruit. Thanks.