OPNsense Forum

Hi guys,

I am pretty new to OPNsense but you guys seem very quick at responding.

So my setup is a baremetal server running 20.7 OPNsense.
I am really trying hard to get the Wireguard VPN to work but really having zero luck, even paid pro engineers to help and they couldn't do it.
So here is why I am baffled... the server sees my client which im using the official windows app for as it shows my IP correctly and seems to be sending and receiving. I have attached to images for you to see. But on my laptop I am not receiving anything thus have no connection, i cant ping the server or anything like that. I have used WG on my laptop before without issues. I have followed multiple guides restarted multiple times but still no luck.
Has there been anyone else who may have had a similar experience.
https://ibb.co/71qr7zW
https://ibb.co/0B6fCzg

I am to the point that I have to reconsider OPNsense completely. I flirted with Softether too as you may recall from my post yesterday but even that seemed to have a lot a trouble. But I have simply spent too much time to just give up on it so please any help would be so useful right now.


Thanks again in advance for anyone who can guess what is wrong.

Ok, we need:
- a graphical network plan
and screenshots of:
- outbound NAT
- Firewall rules WAN
- Firewall rules WireGuard
- WireGuard config on OPNsense

What do you see in: Firewall: Logs: Live view

when trying to send data through from the client like ping to OPNsense.

here are the screen shots, ill get the logs in a min

Thank you for this

Under WGRules the source should be the network: 10.0.7.0/24 not 10.0.7.1/24

And you need one more outbound NAT rule.

Like the one attached

Thank you very much, i applied the changes and still not receiving on my client side.

Here is the live log
https://ibb.co/9NRjyGy


and this

https://ibb.co/xz94qLr

Those lines don't say anything about the WireGuard connection.

Are you able to send a ping from the client to the OPNsense? What do the logs say? You can filter i.e. for source IPs from the 10.0.7 subnet.

Or try to ping the other way around:
Interfaces: Diagnostics: Ping
10.0.7.20

What do you see?

And please enable logging for the firewall rule in picture WGRules (press the "i" next to the lightning symbol). This way you should see the traffic in the live log.

Hi,
sorry but I live in SE asia so apologies for the late reply.

i can only ping 10.0.7.20 from my laptop nothing else works.

I really dont know where its going wrong

and here i tried a ping from sense 100% loss
https://ibb.co/L5s70SV

Quote from: Gauss23 on October 19, 2020, 06:47:32 PM
And please enable logging for the firewall rule in picture WGRules (press the "i" next to the lightning symbol). This way you should see the traffic in the live log.

Did you enable logging? You should then see the ICMP requests in the live view. If there a no ICMP requests, the client seems to have a problem. You should be able to ping 10.0.7.1 from the client.

I am doing everything as i have been told so far but no luck

I am getting demoralised, so I have installed softether and trying a different solution. it seems that many people have problems with wireguard on OPNsense even in Reddit.

No i have different problems with Softether which ill open a post for

Quote from: Gauss23 on October 20, 2020, 07:38:45 AM

Hi Gauss22, so this is my first attempt to make a network plan for reference. I hope it helps solve the WG issue I am having.

https://ibb.co/ZLx8Hv8
https://ibb.co/x8Ssg1h
https://ibb.co/cvH01Yt

I am not sure under which label i need to check for ICMP in live view, if you could advise I can double check. But for reference the interface on OPNsense shows my home IP which is dynamic and is correct so dont know how it can figure that out if there is not connection at all.

Thanks again.

Are these screenshots still valid?

I took the a few hours ago. they are the latest

also one area which is dubious in my setup is the Interface, some say you dont need it but some say you do. I have tried both and no luck.

Thanks for looking at the post

and this is the nat port forwarding
https://ibb.co/km02pm9

Quote from: rasfar121 on October 22, 2020, 07:43:47 AM
I took the a few hours ago. they are the latest

Hi,

in this screenshot:
https://ibb.co/x8Ssg1h

You still have 10.0.7.1/24 as source but it should be 10.0.7.0/24 as I wrote earlier already. Also please activate logging which is a checkbox within that rule if you already have it open to edit it. You should then see an ICMP request if you ping the 10.0.7.1 from the client (OpenWRT box?).

Maybe you should tell us what you want to do. As I read in your SoftEther post, you want to connect a PlayStation through an OpenWRT box by WireGuard to your OPNsense. And you want to use UPnP to allow the PlayStation to allow ports on the WAN side of the OPNsense?

Sorry my fault i just didnt save it over the file name https://ibb.co/zSqNcV9


I enabled log on wireguard firewall rules

64 bytes from 1.1.1.1: seq=9 ttl=60 time=1.572 ms
^C
--- 1.1.1.1 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.921/1.527/2.436 ms
root@OpenWrt:~# ping 10.0.7.1
PING 10.0.7.1 (10.0.7.1): 56 data bytes
^C
--- 10.0.7.1 ping statistics ---
60 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~# ping 10.0.7.20
PING 10.0.7.20 (10.0.7.20): 56 data bytes
64 bytes from 10.0.7.20: seq=0 ttl=64 time=0.079 ms
64 bytes from 10.0.7.20: seq=1 ttl=64 time=0.069 ms
64 bytes from 10.0.7.20: seq=2 ttl=64 time=0.077 ms
64 bytes from 10.0.7.20: seq=3 ttl=64 time=0.064 ms
64 bytes from 10.0.7.20: seq=4 ttl=64 time=0.067 ms
^C
--- 10.0.7.20 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.064/0.071/0.079 ms
root@OpenWrt:~# ping 10.0.7.1
PING 10.0.7.1 (10.0.7.1): 56 data bytes
^C
--- 10.0.7.1 ping statistics ---
37 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

I had to then try and ping form my phone as I wouldnt be able to get live log on opnsense and again failed. and this is what cam up on OPNsense
Interface      Time   Source   Destination   Proto   Label   
wan      Oct 22 06:34:09   200.57.249.15:13089   103.145.2.81:445   tcp   Default deny rule   
wan      Oct 22 06:34:02   45.141.58.74:50334   103.145.2.81:37810   udp   Default deny rule   
lan      Oct 22 06:33:53   103.145.2.13:138   103.145.2.127:138   udp   Default deny rule   
wan      Oct 22 06:33:53   103.145.2.13:138   103.145.2.127:138   udp   Default deny rule   
lan      Oct 22 06:33:53   103.145.2.13:138   103.145.2.127:138   udp   Default deny rule   
wan      Oct 22 06:33:53   103.145.2.13:138   103.145.2.127:138   udp   Default deny rule   
lan      Oct 22 06:33:53   10.1.54.65:138   10.1.54.95:138   udp   Default deny rule   
wan      Oct 22 06:33:53   10.1.54.65:138   10.1.54.95:138   udp   Default deny rule   
lan      Oct 22 06:33:53   10.1.54.65:138   10.1.54.95:138   udp   Default deny rule   
wan      Oct 22 06:33:53   10.1.54.65:138   10.1.54.95:138   udp   Default deny rule   
wan      Oct 22 06:33:47   115.75.217.167:62348   103.145.2.81:445   tcp   Default deny rule   
HCM_SG      Oct 22 06:33:44   172.16.29.2:123   162.159.200.1:123   udp   let out anything from firewall host itself   
wan      Oct 22 06:33:44   143.110.154.112:49765   103.145.2.81:8088   tcp   Default deny rule   
wan      Oct 22 06:33:32   103.145.2.81:40519   1.1.1.1:53   udp   let out anything from firewall host itself (force gw)   
wan      Oct 22 06:33:32   103.145.2.81:16786   1.1.1.1:53   udp   let out anything from firewall host itself (force gw)   
wan      Oct 22 06:33:32   103.145.2.81:64351   1.1.1.1:53   udp   let out anything from firewall host itself (force gw)   
HCM_SG      Oct 22 06:33:31   172.16.29.2:123   194.0.5.123:123   udp   let out anything from firewall host itself   
wan      Oct 22 06:33:25   14.102.94.122:60068   103.145.2.81:445   tcp   Default deny rule   
wan      Oct 22 06:33:22   103.151.47.209:53403   103.145.2.81:445   tcp   Default deny rule





Yes i am trying to connect the PS4 via openwrt to a WG server which then has a tunnel to site B  to access the internet. It is essential that UPnP works as I would not know all UPnP port for all games that I have and sometimes the gaming companies dont actually tell you all the ports used.

Thats why I was so interested to use L2TP as for my experience it has performed the fastest for me, when set up with a cloud VPC compared to WireGuard.

But I appreciate the WireGuiard security and if this can work it would still do the job.

And good morning to you Gauss

I was just thinking about that uPnP stuff you were telling. As uPnP relies on multicast broadcasts which are usually not traversing subnet borders (with multicast proxies it could be possible), you'll need to bridge everything from the client to the WAN port. Your setup seems really complicated.

Wouldn't it be much easier to connect the OpenWRT where the Playstation is connected directly to the site where the WAN IP is? Then you could do some 1:1 NAT from WAN side to the Playstation.

Even with the SoftEther approach you have this OpenVPN connection standing in the way for a working uPnP solution.

Sorry Gauss I sent you a PM