OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: ConnorXXL on March 03, 2020, 02:31:34 pm
-
Dear all,
Been trying to get this working for some time now, however don't know what to do anymore. So appreciate any helps/hints where to look...
(Long message...)
I'm trying to make OPNsense work as a VPN gateway behind my pfSense, for Wireguard roadwarrior access (later also site-to-site Wireguard VPN).
I'd like to switch to OPNSense completely in a later stage, however will need some time for the change.
Environment/basics
- pfSense 2.4.4p3 as firewall/router (LAN address 10.0.1.1, LAN net 10.0.1.0/24)
- OPNSense 20.1.1 as VPN gateway (LAN address 10.0.1.2/24)
- Wireguard VPN tunnel: 10.0.230.0 (server 10.0.230.1/24, client 10.0.230.2/24)
- Both pfSense and OPNSense running as VMs on Proxmox (connected to same LAN)
pfSense has a DynDNS name (let's call it "x.dyndns.com") and the following config for the OPNSense VPN gateway:
- Static route (Destination network 10.0.230.0/24, Gateway "Wireguard_VPN - 10.0.1.2")
- Gateway "Wireguard_VPN" (Interface LAN, Gateway 10.0.1.2)
- NAT (Interface WAN, Protocol UDP, Destination WAN address, Destination port range 51830 to 51830, Redirect target IP 10.0.1.2, Redirect target port 51830, NAT reflection "Use system default")
- Rules (created by NAT, Interface WAN, Source any, Destination "Single host or alias" 10.0.1.2, Destination port 51830)
Wireguard VPN Gateway configuration
- One interface, LAN, static IPv4 10.0.1.2, IPv4 Upstream Gateway "Auto-detect")
- Firewall rules on "Wireguard": pass all
- Wireguard enabled
- Wireguard config (according to "List Configuration"):
interface: wg0
public key: (pubkeyS)
private key: (hidden)
listening port: 51830
peer: (pubkeyC)
allowed ips: 10.0.230.2/32
Wireguard client config (Mac OS Catalina, official Wireguard client):
[Interface]
PrivateKey = (privkeyC)
Address = 10.0.230.2/24
DNS = 10.0.1.1
[Peer]
PublicKey = (pubkeyS)
AllowedIPs = 10.0.1.0/24, 10.0.230.0/24
Endpoint = x.dyndns.com:51830
So the client can't connect (it's sending data, but there's no "Latest handshake" or "Data received", just "Data sent"), I can't access any systems on the (pfSense) LAN.
I tried an Outbound NAT rule for Wireguard on OPNSense, not sure if it's needed, however hasn't helped.
Interestingly I got a Debian VM with Wireguard set up, this one works fine for the client (rules on pfSense setup up exactly the same way for Debian Wireguard as for OPNSense Wireguard, except Wireguard server port and IP of course).
Apologies for the long email, I try to provide all information upfront.
Something I missed? Anyone got a hint/tip where I can start looking? Happy to provide more information.
Thanks alot.
-
For Road Warrior setup, you have to assign the wireguard interface (Interfaces ‣ Assignment ) and create rules inside there. (Better after assignment to reboot so the NAT outbound rules get updated with the new interface)
Also since behind NAT at the client add the option "persistent-keepalive=25".
If you want to redirect all the traffic from the client through wireguard, you will have to change at the client configuration: "AllowedIPs = 0.0.0.0"
-
Hello keropiko,
Thanks for your quick response. I just assigned a (new) interface to wg0, and created a pass rule on that interface. I haven't configured the interface (except "enabling" it), do I need that?
Hasn't changed anything unfortunately, after reboot same story.
For site-to-site Wireguard VPNs, do I need the interface too?
Thanks for your help.
Regards,
Chris
-
Interestingly, I can't find any automatically created NAT rules in OPNSense after reboot (and assigning an interface to wg0). Should there be one?
Thanks.
-
Since OPNsense only has one interface and you configured that statically, you also have to manually add a gateway. Otherwise there is no route to the Internet.
Cheers
Maurice
-
Maurice, that was a good one! I created a manual gateway and configured it on LAN.
Unfortunately still not working. :-(
I got another idea: how does Wireguard know what interface to listen to? I only got a LAN interface on OPNSense now...
Thanks for any hints!
Chris
-
Solved it. Created a firewall rule on LAN allowing all to all, setting it as first rule.
Now it's way slower than using the Debian Wireguard VM I used up to now. Different topic.
Thanks for all your tips!
-
The difference in down/upload speed between opnsense wireguard gateway config and a vm with a wireguard client app is also puzzling me..... dramatic difference in speedtest between these two setups.
-
I made quite some testing. And OPNsense Wireguard with OPNsense Wireguard is as fast/slow as OpenVPN for me. A VM on Ubuntu connected to Ubuntu Wireguard on a APU2 or other barebone is 5-6 times faster. Same HW for both OPNSense and Ubuntu.
Might be the BSD implementation of Wireguard.
I couldn't get the VM scenario stable, so staying on OpenVPN for now unfortunately.
-
Please consider that the FreeBSD implementation to my knowledge is a userland implementation while the origin Wireguard implementation lives inside the Linux kernel. This means it has direct access to the kernel infrastructure and performs better than other userland solutions like OpenVPN.
The implemenation of Wireguard on FreeBSD is a Go implementation. Not sure about impact and potential of performance.
-
On Xeon you can get 1,6Gbit while Openvpn does 900Mbit. I think it's your hardware or testing
-
Well that should be enough for most usecases.
-
Thanks for the feedback. I definitely won't pretend that I did perfect testing. However I repeated testing a few times with similar results.
As soon as one endpoint was on OPNsense, it got slow. Will try again in the next days. Same HW/VM settings.
-
https://www.routerperformance.net/comparing-opnsense-vpn-performance/