OPNsense Forum
English Forums => Virtual private networks => Topic started by: novel on November 25, 2023, 12:58:40 pm
-
There is only one LAN Interface with Internet connection.
There is only one WAN.
I recently installed a OPNsense firewall with default firewall rules, default NAT, default Gateways, no IPV6
I want to setup from scratch everything from LAN going over vpn (wireguard).
CONFIGURATION
I have already setup with success wireguard server on the VPS. On VPS I use Debian bookworm, Now I want to make a configuration with OPNsense firewall as wireguard client , then OPNsense sent all traffic to the VPS.
How can I do that?
-
Ok, let's go :)
First of all, let's prove everything is configured and working as expected to not have any surprises later on...
1a) Ping 8.8.8.8 and google.com from Sense shell. Post the output, I would like to see the latencies.
1b) Ping 8.8.8.8 and google.com from LAN client. Post the output, I would like to see the latencies.
1c) Post screenshots from sense config:
I) System: Gateways: Single
II) Interfaces: Overview (do not extend entries)
III) Firewall: NAT: Outbound
-
Ok, let's go :)
First of all, let's prove everything is configured and working as expected to not have any surprises later on...
1a) Ping 8.8.8.8 and google.com from Sense shell. Post the output, I would like to see the latencies.
1b) Ping 8.8.8.8 and google.com from LAN client. Post the output, I would like to see the latencies.
1c) Post screenshots from sense config:
I) System: Gateways: Single
II) Interfaces: Overview (do not extend entries)
III) Firewall: NAT: Outbound
Ok , I sent all information that you want.
Both sides of ping works perfect
-
Looks fine so far. You missed the ping from a LAN client (eg a computer), but I assume it will work.
Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it, but for now we use this one to see the gateway / VPN itself is up.
Next we will test WG connection and config.
2b) Post a screenshot of
I) System: Gateways: Single
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 10 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but put LAN net as source address.
III) Lobby: Dashboard interface section
-
I missed that RasPi interface. You said you do not have further interfaces than WAN and LAN.
Remember: This Raspi Interface will no longer be accessable!
If you need that interface we shall proceed in another way. If you do not need this Interface anymore: remove it.
-
Looks fine so far. You missed the ping from a LAN client (eg a computer), but I assume it will work.
Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it, but for now we use this one to see the gateway / VPN itself is up.
Next we will test WG connection and config.
2b) Post a screenshot of
I) System: Gateways: Single
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but leave source address blank.
III) Lobby: Dashboard interface section
I have good news. The interface raspbberry I need it for other using. Now, It is disabled, without any cable connected.
I have wg up and first time I saw , send and receive packets and handshake, but I am not connected to publick ip of vpn. I still have my ISP ip. So, I have all information you need.
I followed the steps 1-6 . Inside gateway single I created as the example then I put monitor IP 10.217.30.1 and gateway IP 10.217.30.1 . This ip is from wg debian server as you said.
As far from configuration nothing created NAT outbound. I went to step 9 as you said but step 9 say create Firewall ‣ Rules ‣ Floating . I did the same.
I have normal connection from my ISP with wg enabled. Now It need to change the gateway...
I post all screenshots
-
Fine, WG looks good. We will care about routing all over VPN in step 3...
Now we will try routing one IP over VPN and see if it works...
2c) Go to System: Gateways: Single and change WG monitor IP to 8.8.4.4
2d) Traceroute 8.8.4.4 from Sense shell, post the output.
-
Fine, WG looks good. We will care about routing all over VPN in step 3...
Now we will try routing one IP over VPN and see if it works...
2c) Go to System: Gateways: Single and change WG monitor IP to 8.8.4.4
2d) Traceroute 8.8.4.4 from Sense shell, post the output.
Perfect, the blur places on the screenshot show the public IP of VPS then the publick IP from ISP.
I am very happy :) ;) :D
-
Perfect my friend :)
Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.
-
BTW:
For my feelings latency is very high, according to previous screenshots I would expect about 50-60ms.
Maybe there is a need for some tuning later, but no problem for the moment.
-
Perfect my friend :)
Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.
As I said before gateway not change, I change the gateway on default route ipv4 and I disable ipv6.
traceroute google.com shows
google.com: Name or service not known
Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)
traceroute 8.8.8.8 shows only
1 _gateway (192.168.1.1) 0.471 ms 0.451 ms 0.368 ms
2. * * *
3 * * *
-
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but
Here step 9 it is not nat outbound. It is firewal > rules > floating . Did you see it ?
-
As I said before gateway not change
What exactly does that mean? You need to change the gateway in that rule from default / emtpy to the VPN.
Is VPN gateway not shown there in dropdown or what is the problem?
I change the gateway on default route ipv4 and I disable ipv6.
What exactly does that mean? Please post screenshots of your changes.
-
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but
Here step 9 it is not nat outbound. It is firewal > rules > floating . Did you see it ?
give me minute...
-
I am sorry... it is step 10...
Now corrected this in original post...
-
I am sorry... it is step 10...
Now corrected this in original post...
So , I have to delete floatinf rules , right?
-
Yes... we do not need this in your case (routing everything* over VPN)
*SenseWAN traffic itself will not be routed over VPN... if you really need this, we will have a look later.
-
Yes... we do not need this in your case (routing everything* over VPN)
*SenseWAN traffic itself will not be routed over VPN... if you really need this, we will have a look later.
It doesn't work. I fix the nat outband but I have no internet connection at all.
-
Source address
Select the Alias for the hosts/networks that are intended to use the tunnel (eg WG_VPN_Hosts )
This choice what I have to put?
-
Nothing / any.
We do not want some clients (in an alias) to be routed over VPN, we want all (any).
-
Nothing / any.
We do not want some clients (in an alias) to be routed over VPN, we want all (any).
I have any. I don't have internet at all :(
-
Sorry... put LAN net there!
-
Sorry... put LAN net there!
The same I have no internet. I change from any to lan net
-
More details are welcome ;)
PLease try a ping from a LAN client / PC to 8.8.8.8 and do the same for google.com
I assume there is (still) just a DNS problem issueing "no internet"...
-
More details are welcome ;)
PLease try a ping from a LAN client / PC to 8.8.8.8 and do the same for google.com
I assume there is (still) just a DNS problem issueing "no internet"...
I can ping 8.8.8.8 with success , I cannot ping with ping google.com
ping: google.com: Name or service not known
-
Fine so far... I don't know how to deal with this DNS issue at the moment, but we will see later...
Now just re-check step 3 and do those tests + screenshots...
Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.
-
PLease also tell what's the OS on your LAN client to test from... Win, Linux, BSD, ...?
-
Fine so far... I don't know how to deal with this DNS issue at the moment, but we will see later...
Now just re-check step 3 and do those tests + screenshots...
Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.
Tiermutter route status is the same....First is wan from ISP not from vpn. I use dns over tls port 853 but I disabled.. I don't have internet.....
IPV6 is disabled ...When I installed opnsense I never enabled...
the ping is very slow respond....ping from 8.8.8.8 looks ok. show the correct gateway then public ip from vpn then the public ip from my ISP....
-
hm, ok... please post a screenshot of your LAN FW rules
-
I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.
I am sorry about that.
-
hm, ok... please post a screenshot of your LAN FW rules
ok
-
I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.
I am sorry about that.
No problem... I am also no expert in networking or OPNsense...
For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.
If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...
-
Do a tcpdump on the wg interface on the VPS side, and then on the external interface on the VPS side filtering on the source address of the internal LAN system. If the packets pass through the tunnel as intended - that's what we want to check - then possibly outbound NAT on the VPS side is not working as intended.
-
I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.
I am sorry about that.
No problem... I am also no expert in networking or OPNsense...
For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.
If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...
It is very shame. I feel sad because there are so many users that the don't help, they don't post....
-
Do a tcpdump on the wg interface on the VPS side, and then on the external interface on the VPS side filtering on the source address of the internal LAN system. If the packets pass through the tunnel as intended - that's what we want to check - then possibly outbound NAT on the VPS side is not working as intended.
Patrick I fixed not with correct way. Please help to fix with correct way. No I connected through the vpn, I disabled the WAN_DHCP gateway so there only vpn gateway that is working.
-
I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.
I am sorry about that.
No problem... I am also no expert in networking or OPNsense...
For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.
If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...
I fixed my friend...I already post to Patrick. I disabled wan_dhcp. We have to correct way to work correctly :) :) :) :) :) :) ;) ;) ;) :D :D
-
If the wireguard interface on your VPS is wg0, then with the VPN active do a ping 8.8.8.8 on some internal client and at the same time as root on the VPS:
tcpdump -n -i wg0 icmp
If the interface is not wg0, then adapt accordingly.
If you see the packets from the internal client, then the VPN tunnel is ok. If you don't it's a problem with the tunnel.
Assuming you see the packets then repeat the procedure but instead of wg0 use the external interface of your VPS (eth0 or similar).
-
There already is an automatic rule for WG in outbound NAT.
I am unsure about the impact it has (I guess none), but I am sure you don' need it...
@Patrick outbound NAT on VPS is working since we can ping 8.8.4.4 (GW monitor IP) from OPNsense.
Am I wrong?
-
oops... I am late, so much happened last 15 minutes...
Changing GW priority (or removing WAN GW) was what I wanted to prevent.
This is a workaround for the routing issues we have, but not a proper way to go.
However... is everything now working so far?
-
If the wireguard interface on your VPS is wg0, then with the VPN active do a ping 8.8.8.8 on some internal client and at the same time as root on the VPS:
tcpdump -n -i wg0 icmp
If the interface is not wg0, then adapt accordingly.
If you see the packets from the internal client, then the VPN tunnel is ok. If you don't it's a problem with the tunnel.
Assuming you see the packets then repeat the procedure but instead of wg0 use the external interface of your VPS (eth0 or similar).
Patrick I did as you said...Please look the screenshot. ping from my laptop is ok but I have high time=80.9 ms
-
So it's working now. Great! What did you expect but something in the 100 ms range? You are tunneling to a different country, aren't you.
-
oops... I am late, so much happened last 15 minutes...
Changing GW priority (or removing WAN GW) was what I wanted to prevent.
This is a workaround for the routing issues we have, but not a proper way to go.
However... is everything now working so far?
Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?
-
So it's working now. Great! What did you expect but something in the 100 ms range? You are tunneling to a different country, aren't you.
Yes different country. If is it aceptable this ms that's fine Is it logical ms patrick ?
Yes my friend Patrick. How can I fixed with correct way? Now I disabled wan_dhcp...to work the vpn. The gateway must change automatically when enable the vpn or disable.
-
Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?
For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...
-
Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?
For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...
Normally gateway must automatically when enable or disable the vpn, but in my case not happen. So I have to change to 253 the vpn gateway?
-
Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?
For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...
Normally gateway must automatically when enable or disable the vpn, but in my case not happen. So I have to change to 253 the vpn gateway?
I changed to 253 but it doesn't work. The only correct way is to find the correct way to change automatically.
Can I ask you something? Monitor IP 8.8.4.4 what is it?
Now with vpn enabled Can I use only tcp 443 with ISP wan?
-
Lower value for priority is correct, yes.
But you also need to mark WAN DHCP as upstream GW.
Monitor IP for your VPN GW is a google DNS IP. OPNsense / dpinger will ping trhis IP periodically to determine whether the gateway is up or not. I prefer public IPs for this case since adding VPN endpoint IP here does not mean that connection to WAN over VPN is working. It is just diagnostics, but this IP will also ALWAYS be routed over VPN gateway, regardless of other configurations.
Unsure about your last question... what do you mean?
-
Patrick M. Hausen
Please help......Now I have vpn established. With vpn enabled can I use TCP 443 https to using wan from my ISP ???
How can I do that?
-
I don't understand.
-
I don't understand.
Whole lan works with vpn right? All traffic goes to vpn, not my ISP public IP.
Now I want to make a rule ( I think with nat ) only for TCP 443 https to using public IP from my ISP not from vpn.
Do you understand what I want to do?
-
Rule on LAN, destination port 443, gateway WAN_DHCP.
-
... placed before your existing "default allow" with gateway set to your VPN.
Why do you want that rule? Sure you only want non-443 traffic to go through VPN?
May I ask what your purpose is?
-
Rule on LAN, destination port 443, gateway WAN_DHCP.
Thank you very much. I appreciate your help.
Thank you very much Patrick! :)
-
... placed before your existing "default allow" with gateway set to your VPN.
Why do you want that rule? Sure you only want non-443 traffic to go through VPN?
May I ask what your purpose is?
I want this rule because some sites I can't reach them. They want ip only from my country. Do you understand why it is very important for me this rule?
-
Ok, but... You initial mission was to route everything via VPN due to limitations of your country... Now all https will go through WAN, with only a little part going through VPN...?!
Would ne better to put those "some sites" into an alias and only route them via WAN...
-
Ok, but... You initial mission was to route everything via VPN due to limitations of your country... Now all https will go through WAN, with only a little part going through VPN...?!
Would ne better to put those "some sites" into an alias and only route them via WAN...
Yeah, this choice is better, but I cannot figure out how to do it. What I have to choose in section destination?
-
First create an alias where you put in all sites you want ro reach via WAN.
Then go to last created rule where WAN GW is set and put the alias as destination.
-
First create an alias where you put in all sites you want ro reach via WAN.
Then go to last created rule where WAN GW is set and put the alias as destination.
In section firewall > alias ...I tried to created a list but I didn't make it. Do you have any example?
Then where do i have to go?
-
Lower value for priority is correct, yes.
But you also need to mark WAN DHCP as upstream GW.
Monitor IP for your VPN GW is a google DNS IP. OPNsense / dpinger will ping trhis IP periodically to determine whether the gateway is up or not. I prefer public IPs for this case since adding VPN endpoint IP here does not mean that connection to WAN over VPN is working. It is just diagnostics, but this IP will also ALWAYS be routed over VPN gateway, regardless of other configurations.
Unsure about your last question... what do you mean?
I would like to use dns over tls. I have already configure unbound over tls. So, I want vpn to use my configure NOT dns over google.
How to change that? Can I fill blank the choice monitor IP ??? Or I have to put the same IP . I mean gateway IP 10.217.30.1 and monitor IP 10.217.30.1
-
Monitor IP does not mean that this will be used as DNS server. Simply don't care about this ;)
You can put any public IP here if you want...
-
Monitor IP does not mean that this will be used as DNS server. Simply don't care about this ;)
You can put any public IP here if you want...
I dont have static ip. So I think it is better to put the same IP from gateway 10.217.30.1 . Right?
Please do you have any example from site, because I dont understand how to setup some sites to use different IP
-
Look at this site:
https://docs.opnsense.org/manual/aliases.html
You need alias type host, there is a good example for youtube. Just add all sites you want to reach via WAN there.
Regarding monitor IP you can also put the endpoint IP of your WG server there like we did in the first steps. But, as said, this has the disadvantage that for GW status it will always say "up" just because the connection to your WG server is established. In this case this does not mean that also internet via VPN is working.
Putting a public IP like 8.8.4.4 GW status is "up" when VPN is established AND internet via VPN working.
-
Look at this site:
https://docs.opnsense.org/manual/aliases.html
You need alias type host, there is a good example for youtube. Just add all sites you want to reach via WAN there.
Regarding monitor IP you can also put the endpoint IP of your WG server there like we did in the first steps. But, as said, this has the disadvantage that for GW status it will always say "up" just because the connection to your WG server is established. In this case this does not mean that also internet via VPN is working.
Putting a public IP like 8.8.4.4 GW status is "up" when VPN is established AND internet via VPN working.
Please, Which is the endpoint IP of WG server ?? Documention of opnsesne say:
Insert the endpoint VPN tunnel IP (NOT the public IP) of your VPN provider
Specifying the endpoint VPN tunnel IP is preferable. As an alternative, you could include an external IP such as 1.1.1.1 or 8.8.8.8,
-
Endpoint IP of your WG server is the servers WG IP... We used this IP in step 2 there:
Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it.
-
But, as said ;) , there is no need for you to care about!
-
Endpoint IP of your WG server is the servers WG IP... We used this IP in step 2 there:
Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it.
My friend :) :) I read this a lot of time. I don't understand which is endpoint IP. Can you? Is it 10.217.30.1 or not?
I would like to know. Just know
-
Yes it is... See post #5 screenshot...
-
Yes it is... See post #5 screenshot...
Thank you....Later, I will try to figure out the problem with alias web sites.