Hey,
I don’t get any connection to my wireguard server on OPNsense with QubesOS 4.2. I got the connection with my GrapheneOS, but not with Qubes.
I suppose the problem is the correct setting of Keys in the network manager.
If I look to the connection on the wireguard App on android, I don’t see any private key there, just public key of the interface and peer.
If i compare the keys on the OPNsense, the public key of the interface in the WG-App ist the public key of the android peer in OPNsense. And the public key of the peer in the WG-App is the public key of the WG-instance on the OPNsense. This way, I get the connection on the phone.
If I try to make similar on the QubesOS, I get no handshake. Network-manager shows me the field “private key” under the interface name and within peer settings I see the public key setting. So here is the confusion!
Edit:
I recreated the peer on OPNsense and took the private key of the peer to the private key of the instance within network-manager. But still no success.
The process is the following, on both WireGuard peers you need to create a private key, this stays on the machine. Each private key have an associated public key which should be used by the remote peer.
So systemA public key is used by systemB, and systemB public key is used by systemA.
I did not understand what the OPNsense is connecting to, but it needs to have a private key and the remote system public key.
The public key of the WG-OPNsense-Instance is set as public key on the peer in the network manager. Thats correct. as I understand.
The confusion is within the setting of the interface-private key in the network-manager. As I created the peer on the OPNsense, I got a private key. This key, I set in the network-manager, under the interface name field to the “private key”.
Or what private key, should I set within the network-manager?
You should generate a private key locally for your network manager, and generate a public key from it too, then the public key will have to be used in opnsense for this peer.
umask 077
cd /dev/shm (it's a temporary directory in memory)
wg genkey | tee private.key | wg pubkey | tee public.key
then you can use cat private.key to get your private key (to put in network manager) and cat public.key to get the public key (to put in OPNsense peer public key).
hmm… ok. So I used the generator for peers within OPNsense. Took the private key to the private key section in the network-manager and took the public key to the public key section in the peer settings of the OPNsense. Is this way correct?
Ok, I got the handshake. The connection is awful, but it seems to work.
Yes, but ideally you prefer to not move a private key from a system to the other, but if the system is not compromised and the private key really cleared from storage and memory, it is fine.
