My first week as an OPNsense user, and it's been such a pleasure. I've finally decided to try to set a VPN client running and routing all traffic using it. iVPN has been super fast and I've been quite happy with them when I still used OpenWRT.
I did follow their guide in https://www.ivpn.net/setup/router/opnsense and got the connection running. I can blast a whopping 700-800 Mbit/s with my new router through the VPN. Ifconfig.co answers and tells me I'm coming from the VPN IP address.
The problem is many of the websites just block me or are very slow. What I first thought was the big providers just block VPN cidr spaces, but I was just a week ago still using the same VPN servers with OpenWRT without any trouble with sites.
I contacted iVPN support and they were happy to tell me their MTU recommendation of 1420 might cause trouble, and I've tried lowering it until 1300, without really getting anything to work.
Did I miss something when reading the guide or is the latest release 21.1 having some problems with wireguard? One thing I'm considering too would be to just let one IP address from the home network go through the VPN bridge and others could still run from WAN. The problem is if I set an Outbound NAT from network address 10.0.0.8/32 to go to the wireguard interface, the whole network just stops working to outside of the home NAT. Heh, as you can see I'm still learning networking and it's a new territory for me, so please don't mind if you see me doing something completely stupid here!
To have one IP only go through the tunnel, you need to Disable Routes in the WG config, and then have a FW rule for that IP that specifies the WG gateway as the one it uses (under Advanced)
Under your current setup, the WG gateway is the default gateway for everything, but only the one IP is being NAT'd outbound
Is it just enough if I disable the routes and set a free gateway ip in the wireguard config from my network? And, is that FW rule then for the outbound NAT, or into which table I should set it?
Sorry for stupid questions, my interest has been in software development, and I'm a fairly newcomer to networking and all the terms. I'm interested to learn though...
Essentially right. The FW rule goes on the LAN interface.
Check out posts 4 and 8 in this thread: https://forum.opnsense.org/index.php?topic=20413.0
I right now just went with a OpenVPN setup. I talked with IVPN support, who actually installed the latest opnSense and configured a connection using their own instructions (https://www.ivpn.net/setup/router/opnsense). They were also noticing many websites are just not loading when using the VPN connection. If you try to connect from Linux, the connections work fine. They also tried with different MTU values: (1412, 1300, 500, and many more), and MTU and MSS values on the opnSense WAN interface directly with no effect.
I didn't try WireGuard with older OPNsense versions, or any other provider, so I can't really say is this a problem in the system or somewhere else.
I was curious about this, so I wanted to try for myself. I got a IVPN subscription and followed their guide. The handshakes are good and I get a connection going, but I experience the exact same issues describe here, the speed seems slower (100Mbps, I get just over 200Mbps using the app with WireGuard) and a lot of domains (duckduckgo.com, YouTube.com, iCloud.com) just will not load.
I tried MTU values of 1412, 1380, 1280. And I tried using their regular DNS and the AntiTracker standard DNS, same result, the domains still won't load.
Hardware: Qotom Q575g6
I reached out to IVPN support, and I managed to fix the weird issue with websites not loading. I will quote from the email:
Quote
There might be a solution to the odd website block using a router with a WireGuard connection. It involves changing the MSS value of the LAN adapter in the router.
On your OPNSense, disconnect from the WireGuard server, navigate to `Interfaces` - `LAN`, set the `MSS` value to `1300`, apply the changes. Once applied, reconnect to the WireGuard server back, refresh the DHCP lease on your computer (simply reconnecting it to the router works too) and check if the problem persists.
It might be possible to fine-tune the MSS value by adding multiples of eight to the MSS value (1308, 1316, 1324, etc.), though do not exceed 1412.
Thank you for reaching them out, they contacted me and gave me the instructions:
Set LAN interface MSS value to 1412. Leave MTU empty, WAN MTU and MSS empty and the local WireGuard connection MTU setting empty. Might need to reboot, but with these settings I'm now getting a whopping 700-900 Mbps through my cable connection, which is not much less than I'd do without VPN.
Cool. I'm gonna empty the Local Configuration MTU after reading this. 8)
Btw, is IVPN the only provider that has trouble with the default MSS/MTU values? Should there be some defaults set automatically?
I just want to say a f*cking huge thank you for suggesting the MSS value to be changed to 1300.
I've setup a Wireguard Server by myself and what was strange is that when I've connected to Wireguard with a WG client on Ubuntu or Windows, everything was fine, but when I've connected through OPNSense, I couldn't connect to my company's VPN server and to some of the website, but now everything works as it should so thank you thank you <333333333333333333333