I’ve hit a wall with a weird Wireguard issue. I’m trying to connect my phone (over cell) to my home router using wireguard and it will not connect.
- The keys are all correct.
- The IPs are all correct.
- The ports are open on the firewall.
- My router has a public IP, no CGNAT.
The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.
I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.
I’m really at a loss as to where to go next.
Edit 2: I completely blew out the config on both sides and rebuilt it from scratch, using a different UDP port, and it all appears to be working now. Thanks for everyone’s help in tracking this down.
Edit: It was requested I provide my configs.
opnsense:
####################################################
# Interface settings, not used by `wg` #
# Only used for reference and detection of changes #
# in the configuration #
####################################################
# Address = 172.31.254.1/24
# DNS =
# MTU =
# disableroutes = 0
# gateway =
[Interface]
PrivateKey =
ListenPort = 51821
[Peer]
# friendly_name = note20
PublicKey =
AllowedIPs = 172.31.254.100/32
Android:
[Interface]
Address = 172.31.254.100/32
PrivateKey =
[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = :51821
PublicKey =
Have you been down the MTU rabbit hole? The wg-quick helper scripts are supposed to find the best MTU but I’ve found cases (tethering) where I had to adjust. Too big an MTU and you could silently drop packets.
Are you virtualizing opnsense? I am, and the wg plugins and config felt foreign to me it was easier to virtualize a wg endpoint.
Have you been down the MTU rabbit hole?
No. I’m going to look into that and do some testing today. Perhaps there’s something wonky between my mobile and home ISPs in that regard.