Am I the only one that finds Wireguard far more difficult than OpenVPN to get working?

Edit: It looks like the ISPs have been my pain point:

If your ISP blocks all incoming connections as in the case with CGNAT, you will not be able to directly connect to your home network via WireGuard on OPNsense. You will have to consider using a Virtual Private Server (VPS) to create a VPN tunnel or some other means such as Cloudflare Argo tunnels in order to access services on your home network remotely.

I’m using AT&T Fiber, which implements CGNAT and I would have to rent a static IP from them apparently to get this to work according to what I’ve read.

I even stood up a clean VM in Hetzner which had nothing but WireGuard running on it, natively, and I still can’t even ping my router’s LAN IP (192.168.1.1). It just keeps saying “Destination host unreachable”

10.10.10.1 is the WG “server” on OpnSense in my LAN, 192.168.1.1 is OpnSense’s LAN IP

root@wg-test:~# ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=135 ms
...
^C
--- 10.10.10.1 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8011ms
rtt min/avg/max/mdev = 134.700/135.279/136.070/0.424 ms

 root@wg-test:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 10.10.10.5 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
....
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2042ms

root@opnsense:~ # ping 10.10.10.5
PING 10.10.10.5 (10.10.10.5): 56 data bytes
64 bytes from 10.10.10.5: icmp_seq=0 ttl=64 time=136.887 ms
64 bytes from 10.10.10.5: icmp_seq=1 ttl=64 time=135.927 ms
^C
--- 10.10.10.5 ping statistics ---
3 packets transmitted, 2 packets received, 33.3% packet loss
round-trip min/avg/max/stddev = 135.927/136.407/136.887/0.480 ms

root@wg-test:~# ip route
default via 172.31.1.1 dev eth0 proto dhcp src <public Hetzner IP> metric 100
10.10.10.0/24 dev wg0 scope link
172.31.1.1 dev eth0 proto dhcp scope link src <public Hetzner IP> metric 100
185.12.64.1 via 172.31.1.1 dev eth0 proto dhcp src <public Hetzner IP> metric 100
185.12.64.2 via 172.31.1.1 dev eth0 proto dhcp src <public Hetzner IP> metric 100
192.168.1.0/24 via 10.10.10.5 dev wg0

Here’s the relevant firewall rules from OpnSense

root@opnsense:~ # pfctl -s rules | grep wg
scrub on wg1 all fragment reassemble
block drop in on ! wg1 inet from 10.10.10.0/24 to any
pass in quick on wg1 inet from (wg1:network) to any flags S/SA keep state label "c17fe93ec844ff0346ab97952fc597d3"

Maybe it’s because I’ve been using OpenVPN for a decade on and off, but I find it significantly easier to get it working than WireGuard. I have literally been trying for years to get WireGuard working so that a remote client can access my internal network and the furthest I’ve ever gotten was getting in, but can’t contact anything outside of the tunnel.

I’m a Linux System Engineer, so I’m no noob when it comes to Linux and networking, I’ve also setup an OpenVPN server from scratch and had it working perfectly. WireGuard on the other hand? It’s like quantum physics to me…

I’ve attempted it natively on baremetal Linux servers, docker on a BM server, running in on OpnSense, and other ways and I pretty much get nowhere.

I just spent about two hours first setting up a client using the wg-easy docker container, ensuring that the port is open on my router and I could get my phone (while on the cell network, not wifi) to connect to the tunnel, but I couldn’t ping anything on my LAN.

WG_ALLOWED_IPS is set to 0.0.0.0./0 (I’ve also tried something like 10.10.10.2/32 and 10.10.10.0/24) [my lan subnet is 192.168.1.0/24]

WG_HOST is set to my public IP

WG_PORT is set to 51280

After creating a container and creating a client, I’d import that client into the WireGuard app on my Android phone, I’d see it connect, but that’s about it. Pinging 192.168.1.1 from my phone on the cell network would give zero responses. I also attempted to set it up on my VM in Hetzner (using the Arch Wiki, even though it’s running Ubuntu) and OpnSense in my LAN and that went nowhere either, even though 51280 was open on both firewalls.

Getting fed up, I enabled OpenVPN (which I already had setup previously, from a year or more back when I had last used OpnSense), browsed to the LAN IP on my phone and the Client Export section under OpenVPN, typed in my Public IP in the hostname section (my FQDN is still registered to my Hetzner VM ATM), downloaded the config on my phone and imported it into the OpenVPN app on Android, connected and it worked perfectly. I could hit every LAN IP from the cell network.

I always see everywhere that WireGuard is supposed to be super easy/dead simple to setup and I’m like “WTF am I doing wrong that it literally never works the way I want it to?”

So, you find it easier to setup some software you already set up previously? Totally agree, but what does that have to do with WireGuard?

Plus you are doing it in hard mode by doing WG in a container instead of native.

I always see everywhere that WireGuard is supposed to be super easy/dead simple to setup

A point-to-point wireguard link between two systems without any firewalls or anything in the way is really easy to configure. A simple point-to-point link with wireguard can be far easier then OpenVPN.

I find that running wireguard in a container, as your first use of wireguard it can make things a lot more complicated. The docker networking in same ways makes the routing more complicated. But people often want to use wireguard there because you get the easy to install image, with the webui and all that. So many people that start using wireguard this way are basically jumping into a pretty complicated setup, instead of starting with the a really simple wireguard configuration.

Aside from container complications. When you start trying to add more complicated routing. Or all the NAT weirdness you can get from a docker network, you make things more difficult.

Anyway, if you are having problems, you probably need to spend more time with tcpdump, or some other packet capture tool, and spend more time on understanding your routing for all the devices involved.

Yep you are. I have setup OpenVPN before and when I discovered WireGuard I was baffled that it’s so easy to setup a VPN. Was 5 minutes and it was up and running.

Did you try to analyze the connection issues.

IPTables logging, WireGuard kernel logging, tcpdumps to mention a few steps to see what and where your issues are.

Because I don’t think it’s WireGuard but a PEBCAK as it would be in most cases.

Here is how to enable WireGuard logs

How are packets from your internal LAN getting routed to the WireGuard container?

WireGuard requires that layer3 routing is working, it doesn’t do a layer2 tunnel. Normally in a home environment you would run it on your router to make this a loot simpler.

allowedips is a bad name for that setting. think of it like a routing table. to send all traffic over the vpn and access the lans behind the remote wireguard peer interface you need all subnets listed like allowedips = 0.0.0.0/0, 10.10.10.0/24, 192.168.1.0/24

you will also need your firewall rules setup and if your router/gateway is not the wireguard host for those lans, you will need to add a route to the wireguard subnet and remote lans on the router/gateway if you want your traffic to get back from outside of the local wireguard host. you do know how to do this, right mr engineer?

why didnt you read the docs?

Ubuntu server + PiVPN = I spent more time typing sudo apt update and the rest than simply type pivpn add…

​

If you didn’t tried yet, give a try to PiVPN

I agree. What makes it really worse is wireguard shows as “connected” even when it is not which causes a lot of confusion.

I’ve added more info to the above, still have no idea what the actual issue is.

Completely agree. Take a basic simple issue that happens all the time: your vpn server’s dynamic dns ip changes. OpenVPN client will detect this (`keepalive`) and re-resolve (`resolv-retry`) and keep going. Wireguard client, without a watchdog, will never reconnect. Really sucks when you need an extremely reliable vpn tunnel to reach back to your remote client (which themselves may be hidden behind NATs).

agreed, OpenVPN is for anyone that values their time.

WireGuard is for nerds.

Did you watch a video of the “network berg” setting up wg on 2 mikrotik units?

I found that really helpful. I hosted a chr on a hetzner VPN.

pm me if you need some support (free ofc)

I initially had a hard time with it. Once i got my head around the client and server essentially being the same config, it became easier. Also, pivpn is dead simple. If you have a spare raspberry pi around, you should try that.

It sounds like you are trying to route all traffic over WireGuard, but you make no mention of configuring the routing on the Linux host.

It’s probably not completely accurate to call WireGuard a VPN (Virtual Private Network). It may be more accurate to call it a VPT* (Virtual Private Tunnel).

WireGuard creates the virtual network interfaces, and links the two. The WireGuard config only tells the WireGuard interfaces what traffic to pass over the WireGuard link.

Routing outside of the WireGuard tunnel is done with the normal OS routing. You’re making this more complicated by using a Docker container since you also have to route between the WG tunnel ↔ Docker network ↔ the LAN network ↔ WAN network.

Since you mentioned you are running OPNSense, I’d recommend running WireGuard there. Follow this guide: https://docs.opnsense.org/manual/how-tos/wireguard-client.html You need to pay attention to Step 5, specifically Step 5B.

Remember, WireGuard only provides an encrypted tunnel between two virtual network interfaces. If you want any routing beyond that, you need to set up the routing in the way appropriate to the host running WireGuard.

AllowedIPs only determined what goes over the tunnel. It does not control what happens outside the tunnel. It doesn’t do any NAT. It does not do any routing outside of WireGuard.

Below is a link detailing how to set up your iptables in Linux to work with WireGuard:

https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/

*I just made up the acronym VPT. If anyone actually uses it, I’m not aware of it.

Yes, you’re the only one that finds Wireguard difficult to setup. There are 1000s of blogs and yt videos and Reddit replies explaining how to do it. There are wizards in any mayor recent router and webpages that setup the config for you. Even PiVPN that started to be a OpenVPN facilitator switched over Wireguard.

I was an OpenVPN fanboy back in the day. I reluctantly tried Wireguard. Now I use it for everything and I like its simplicity and its speed. Never going back to openvpn.

Based on the comments and what I’ve heard from others over the years, I think you just might be one of the very few that finds Wireguard more difficult than OpenVPN.

If OpenVPN works and Wireguard is a hassle for you, then use OpenVPN and forget Wireguard. Just know there are people that think of OpenVPN the way that you do of Wireguard - difficult and can’t get working.

Not to be insensitive, but that is irrelevant. The performance gains are so huge, it is totally worth any difficulties in upgrading.

The only reason for anyone to still use old tech like openvpn is because you are required to use some service that refuses to upgrade to wireguard. I switched our routers to wireguard years ago, and shutter at the thought there are still people out there who haven’t.

Totally agree, but what does that have to do with WireGuard?

OpenVPN requires (a lot) more configuration, but I find it generally easier to use/comprehend. WireGuard takes less configuration (since it’s one config file on each end and you just have to use wg-quick to bring it up) but getting outside of the tunnel is where I always have issues, I shouldn’t have to trace packets and dig through kernel logs to see what the issue is.

Even when it’s in a container I didn’t find it too hard. There is a wg-easy container that just takes some info and then you it’s working.

If you want to do special stuff, yes it will be harder but not THAT hard from my experience