this post was submitted on 26 Dec 2023
1 points (100.0% liked)

WireGuard

3 readers
1 users here now

WireGuard - a fast, modern, secure VPN Tunnel.

founded 1 year ago
MODERATORS
[email protected]
1
WireGuard not working - macOS Sonoma client, pfSense server (zerobytes.monster)
submitted 11 months ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
This is an automated archive.

The original was posted on /r/wireguard by /u/central_marrow on 2023-12-26 10:25:50+00:00.

I've been struggling to make any progress debugging this.

This is my first time setting up a WireGuard tunnel and not getting very far. My use case: I have a pfSense router running at home, and I want to VPN back into my network when away from home.

My server config, on the pfSense box (keys and IPs redacted)

[Interface]
ListenPort = 51820
PrivateKey = ....

[Peer]
PublicKey = ....
AllowedIPs = fd69:xxxx:xxxx::/64

And on the client - macOS Sonoma:

[Interface]
PrivateKey = ....
Address = fd69:xxxx:xxxx::xxxx:xxxx:xxxx/64

[Peer]
PublicKey = ....
AllowedIPs = fd69:xxxx:xxxx::/64, 2a02:xxxx:xxxx::/64
Endpoint = xxx.xxx.xxx.xxxx:51820

Currently I'm only interested in tunnelling v6 over v4 and I don't care about tunnelling the v4.

If I bring the tunnel up via the GUI:

  • The GUI shows the tunnel as Active
  • A tunnel interface is added (currently utun4) with the IP address ending f423 assigned to it
  • Routes to fd69:xxxx:xxxx::/64 and 2a02:xxxx:xxxx::/64 are duly added to the routing table

But, nothing works. By that I mean:

  • I can't ping6 or TCP connect to a known-up host on the 2a02 network
  • I can't ping6 the pfSense box's fd69::x:x::1 address
  • I can't even ping6 my own local fd69...f423 address

I've used Wireshark to investigate what's going on and discovered the following:

  • Capturing on the tunnel interface:
    • Traffic across the tunnel appears to be going into a black hole, the outward pings show up in the capture but there are no responses
  • Capturing on the primary interface:
    • There are no UDP packets at all on the configured 51820 port
  • Capturing on the pfSense side (with tcpdump):
    • No incoming traffic at all on 51820

My local firewall on macOS is inactive.

The pfSense firewall is allowing UDP on 51820 on the WAN interface.

I've opened the log console in macOS and in the launchd.log I see several entries that look like this:

2023-12-26 10:09:10.651460 (system) : denied lookup: name = com.apple.airportd, flags = 0x8, requestor = WireGuard[5193], error = 159: Sandbox restriction

I am not sure what this sandbox restriction refers to and how to lift that restriction. I installed Wireguard through the app store and it didn't ask me to grant any additional permissions on install.

I tried uninstalling and reinstalling from the app store. No change.

Halp! any ideas before I abandon Wireguard and set up OpenVPN instead?

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here