Post by: ivm17 on January 26, 2021, 05:54:39 pm
First post here. I am new to OPNsense and seek your help.
I am trying to configure two WireGuard endpoints to be able to route traffic from different hosts on my network through different VPN tunnels. The idea is all traffic to be routed through the main VPN tunnel and few hosts that need region unlock to go through the second tunnel. Also I would like to prevent my ISP's IP from leaking in case the the VPN tunnels are down.
So far I tried:
1. Single local entry with two endpoints. - In this case I see two handshakes and two peers but only one is used. If I disable either one of the endpoints it starts using the other one. I tried to changing the allowed IPs on each endpoint but then it stops working completely. In the "List Configuration" one of the peers comes up with "allowed ips: (none)" and the active one with "allowed ips: 0.0.0.0/0".
2. Two local entries each configured with single endpoint. - This creates two interfaces wg0 and wg1. If both local entries are enabled only wg0 is available. If I disable the first local entry wg1 becomes available and of course the second tunnel is used.
I have both interface assignments and NAT rules.
In both cases I can use either or but not both tunnels at the same time. Is this used case even possible?
Any help would be greatly appreciated.
Post by: Greelan on January 26, 2021, 10:37:25 pm
This thread may help: https://forum.opnsense.org/index.php?topic=20494
Post by: ivm17 on January 27, 2021, 02:26:06 am
Definitely possible. You will need two separate local/endpoint combinations. Also you will need to Disable Routes on each so that you can route the traffic appropriately with firewall rules
This thread may help: https://forum.opnsense.org/index.php?topic=20494
Greelan,
Thank you for the hint. I will try it and will report back.
Post by: ivm17 on January 27, 2021, 06:14:32 am
Definitely possible. You will need two separate local/endpoint combinations. Also you will need to Disable Routes on each so that you can route the traffic appropriately with firewall rules
This thread may help: https://forum.opnsense.org/index.php?topic=20494
Greelan,
Jumping from thread to thread I gathered enough information to make it work. If I find time, I will write a proper step-by-step to help others.
Thanks for pointing me in the right direction! I really appreciate it.
For someone that stumbles upon this thread here are the copy/paste steps that made it work for me:
- Set up Mullvad endpoint (public key, allowed IPs + 1.2.3.4, endpoint address & port)
- Set up local endpoint (private key, tunnel address, DNS, "disable routes", gateway IP 1.2.3.4)
- Assign an interface to wg# (enable, lock, no IP config)
- Restart Wireguard service (or you will get an error when trying to create the gateway)
- Create gateway on the newly created interface (IP 1.2.3.4, check "far gateway", optionally enable monitoring (I'm using cloudflare's 1.1.1.1))
- Create a NAT rule on the Mullvad interface for your LAN network
- Create a firewall rule for your LAN interface directing (selected) traffic to the Mullvad gateway (or the group in my case)
- All done!
I got this from here (posts #23 and #28):
https://forum.opnsense.org/index.php?topic=15105.msg70130#msg70130 (https://forum.opnsense.org/index.php?topic=15105.msg70130#msg70130)
Post by: Greelan on January 27, 2021, 06:22:40 am
The guide I found most useful in all this was Jonny’s imgur guide, which is linked in one of the threads. Particularly helpful where selective routing is being done.
Regarding the gateways, I am not a big fan of using 1.2.3.4 because you can only use it on one gateway. As noted in one of the threads, using an IP of 1 below the local peer tunnel IP avoids that issue.
Post by: ivm17 on January 28, 2021, 03:05:20 am
Post by: Greelan on January 31, 2021, 12:34:27 am
Hope it helps someone
Post by: mimugmail on January 31, 2021, 07:33:57 am
Post by: Greelan on January 31, 2021, 08:38:23 am
