WireGuard Roadwarrior Client Setup

I know this must be very simple. However, it is not working for me. I have created a user in the WUI. I downloaded the file to the client machine (Linux Laptop running CahchyOS). When I activate the VPN in NM I get output from the sudo wg show wg0 command.

interface: wg0
public key: lX5PyKm+qa9YvKVvSP5XclfyjMdRyn5w1kuITfG5jTk=
private key: (hidden)
listening port: 34656
fwmark: 0xca91

peer: K/YzW/Si2gxq2kYcNwju17d80YBdLhS3sFMxre0Qf1w=
endpoint: 1.2.3.4:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 2.60 KiB sent
persistent keepalive: every 25 seconds

But as you can see there is no received traffic. Nor can I ping any device on Green. The IPFire WUI is unresponsive.

I expect I am missing something very fundamental. Can someone please point me in the right direction?

Thank you in advance.

Can you confirm that all the steps of importing your wireguard configuration file into the laptop NM (Network Manager) were accepted and the whole configuration was successfully saved?

If yes, when you selected the Wireguard VPN connection in the taskbar Network Manager Icon did you get a notification box saying that the connection was successfully made or that it failed?

If notification was that the connection failed to be made then you need to look in the appropriate logs on your laptop to see what messages are there.

Adolf, The connection works and it shows traffic going to IPFire, but there is no return traffic. As far as I can tell there is nothing in the Firewall Logs that relate to a WireGuard connection.

On the Main Page on your IPFire WUi is Wireguard shown in the Network table with the status as online in green and the client pool subnet that you defined when you set up the WireGuard page?

on https://feta2:444/cgi-bin/index.cgi it shows WireGuard as 10.0.0.0/24 Online. This is the same network as on the setup page.

Possibly some helpful information. I went looking around the iptables on the firewall. They all look fine. The only odd thing I found was that although referenced the WGNAT chain did not exist.

IPTable Network Address Translation:

CAPTIVE_PORTAL CUSTOMPOSTROUTING CUSTOMPREROUTING INPUT IPSECNAT NAT_DESTINATION_FIX NAT_DESTINATION NAT_SOURCE OUTPUT OVPNNAT POSTROUTING PREROUTING REDNAT SQUID WGNAT

Chain POSTROUTING (policy ACCEPT 360K packets, 21M bytes)

iptables -L WGNAT -n -v

iptables: No chain/target/match by that name.

From the image provided it looks like the server is listening on port 34656 and the client is exiting from port 51820

With proper configuration, the server should listen on port 51820 and the client should connect from a random port.

You are listing the default filter iptables chains with that command. If you want to check the chain in the nat table you need the command

iptables -t nat -L WGNAT -n -v

which then gives the output

Chain WGNAT (1 references)
 pkts bytes target     prot opt in     out     source               destination 

but you don’t have to use that command line command. You can also look in the WUI in menu - Firewall - iptables.

Go to the "Network Address Translation: section and select WGNAT and press the Update button and you then get

Screenshot2026-05-1223-12-00994×222 10.4 KB

When you try and make the wireguard connection do you end up with the Status on the WireGuard WUI page showing a Green CONNECTED or does it stay with a red DISCONNECTED.
The status is updated on a 2 minutes period so it could take this long to show a change. After 2 minutes refresh the WUI page in the browser.

How did you import the client configuration? Did you use the command line or a graphical tool?

Could you show me the output of the console commands?

ip a

nmcli connection show

Yesterday I installed CachyOS on VirtualBox.
I imported the configuration file from IPFire (using the NetworkManager graphical tool in CachyOS).

I was able to connect to the resources on the GREEN network without any problems.

Tested on:
Core-Update 202 Development Build: master/9f5a8782
cachyos-desktop-linux-260426.iso

Best regards

Adolf, It is showing Disconnected.

Iptom, I used the command line for the import.

[jack@kugelkase ~]$ sudo wg
interface: wg0
  public key: lX5PyKm+qa9YvKVvSP5XclfyjMdRyn5w1kuITfG5jTk=
  private key: (hidden)
  listening port: 48928
  fwmark: 0xca91

peer: K/YzW/Si2gxq2kYcNwju17d80YBdLhS3sFMxre0Qf1w=
  endpoint: 67.85.89.139:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 13.88 KiB sent
  persistent keepalive: every 25 seconds

[jack@kugelkase ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp13s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether d4:93:90:2b:b6:11 brd ff:ff:ff:ff:ff:ff
    altname enxd493902bb611
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c4:3d:1a:e3:e8:56 brd ff:ff:ff:ff:ff:ff
    altname wlxc43d1ae3e856
    inet 10.234.185.60/24 brd 10.234.185.255 scope global dynamic noprefixroute wlp0s20f3
       valid_lft 2893sec preferred_lft 2893sec
    inet6 fe80::a449:101b:686a:f066/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.3/32 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever

nmcli connection show
The following were green
NAME                              UUID                                  TYPE       DEVICE
Auto Jarlsberg                    94300fee-f21f-411d-95cd-3c698cd1b5be  wifi       wlp0s20f3
ipfire-wg                         b0868f6d-020f-497c-99ee-7e0190cf8b36  wireguard  wg0

Adolf, I went back to your comment about the NAT Table. Looking at WGNAT in the WUI shows that there are no rules the same as the iptables -L WGNAT command.

Let me just check this to be certain.

Do you have a public IP for your internet connection or are you connected via CG-NAT?

If public IP have you got an OpenVPN or IPSec RW connection working in the past?

Adolf, At one point in the past I tried to get OpenVPN working and gave up. Its subnet was 10.150.223.0/24. OpenVPN shows Stopped. I may have also tried IPSec but I can’t remember. It is not enabled.

I do not quite understand your question “{Do you have a public IP for your internet connection or are you connected via CG-NAT?” The laptop connect through the Blue network or through a phone hotspot. Neither connection works if I Connect the WireGuard VPN.

I decided to give up on my manual nm configuration and did as Iptom did through the NM GUI. The user is now connected to IPFire. I can ssh into IPFire and another host on Green. A browser can reach the internet. The only issue is that I cannot ping any devices on Green.

Do the hosts in the GREEN zone allow pings from the WireGuard subnet?

edit
The following examples of commands may be helpful

For ICMP packets outgoing from the green0 interface
tcpdump -i green0 -n icmp -Q out

For ICMP packets incoming to the green0 interface
tcpdump -i green0 -n icmp -Q in

Both directions are visible
tcpdump -i green0 -n icmp

[root@feta ~]# tcpdump -i green0 -n icmp
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on green0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:29:13.500100 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:13.700191 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:13.700298 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:14.101816 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:14.101934 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:14.901640 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:14.901755 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:16.502449 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
12:29:16.502558 IP 67.85.89.139 > 192.168.11.110: ICMP 67.85.89.139 udp port 45101 unreachable, length 556
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel

the above was the dump when pinging 192.168.11.110 through the WG VPN.

Do I need two WG VPNs one for remote and one when on Blue?

I am not very familiar with tcpdump outputs but this suggests to me that your IPFire red interface has a Private IP address (192.168.11.110).

This would suggest that you have another modem, possibly from your ISP that is between your internet connection and your IPFire red interface and that it is running in modem mode and not bridged mode otherwise your IPFire red interface would have a Public IP.
If you do have another modem between the internet connection and your IPFire have you created a port forward firewall rule in that modem to ensure that all wireguard traffic is forwarded to your IPfire red interface?

Also your destination port is shown as 45101.

Can you confirm that you used that port number in the Wireguard WUI page in place of the default 51820

Screenshot2026-05-1821-35-58999×358 15.5 KB

192.168.11.110 is a server on Green. 67.85.89.139 is my current Dynamic IP. The WireGuard Port is set to 51820.
When a client (peer) Connected to Blue is on the WG VPN it cannot access the Internet. It can access the IPFire WUI.
The documentation says the the RED and Green rules are created by IPFire. I would therefore assume that a Laptop on Blue with a WG connection should be able to reach the internet as that is one of the main reasons to have the VPN in the first place.
Thanks for the help.

Your Wireguard Road Warrior connection allows a client that is somewhere out on the internet, say at a coffee bar, and that client connects to the coffee bar hotspot and can then connect via a wireguard tunnel to the green network, the same as if that client was directly connected to the green network and therefore also connect to the internet via the red interface.

If your client is connected to the blue network and wants to connect to a machine on the green network then a wireguard tunnel is not required. You just need to create firewall rules to allow that client on blue to access the client(s) on green that you allow.

If you want to have the client on blue connect to somewhere on the internet via a wireguard tunnel, then you need another wireguard server at that other internet location and you would then need to create a net-2-net wireguard tunnel between the two IPFire locations. As the wireguard net-2-net tunnel will be from the green interface on your ipfire then you would need a firewall rule to allow traffic from that client on blue to connect to the wireguard peer connection that is being used for the net-2-net tunnel.

It could be that I am not clear why, where and to what you are trying to connect from the blue client via a wireguard tunnel.
Maybe a simple diagram to show what connection you are trying make might help understanding.