OPNsense Forum

English Forums => Virtual private networks => Topic started by: yeraycito on May 01, 2021, 07:09:10 pm

Title: Wireguard k-mod without lan access
Post by: yeraycito on May 01, 2021, 07:09:10 pm

Install wireguard:  https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

The connection to the wireguard client is perfect and I have access to the internet via wireguard.

Firewall:Rules:Wireguard        Source Wireguardnet             allow all

Firewall:Rules:Wg                   Source Wgnet                         allow all

Smartphone Cliente Wireguard: Wireguard active + data connection:

 - Internet access: OK
 - Access to shared folder on lan computer: OK
 - File download to shared folder: Error message saying there is no internet.
 - Access to ip nas on lan computer: not connecting

Smartphone Cliente Wireguard: Wireguard active + wifi connection local

 - Internet access: OK
 - Access to shared folder on lan computer: OK
 - File download to shared folder: OK
 - Access to ip nas on lan computer: not connecting

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 12:02:36 am

If you have more than one local WG config (wg0, wg1 etc) or more than one endpoint (peer) on OPNsense, better not to use the default “Wireguard net” in the FW rules but instead create your own alias for the tunnel network and use that instead. See 2b of https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 02:00:37 am

Hello, I only have one local WG config - one endpoint (peer)

I have two shared folders, one on a computer and one on a nas all on the same local network. With wireguard deactivated, I can access these two shared folders via the client through shared smb without any problems. If I activate wireguard on the client I can access the shared folder on the computer both via wifi and data connection without problems but I can't access the shared folder on the nas.

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 02:12:31 am

Sounds like an issue on the NAS? Eg you are restricting IPs through “hosts allow” or “hosts deny” in the samba conf, or the firewall on the NAS is blocking the tunnel network?

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 02:28:57 am

The nas is not the problem. Here is another example. The nas can be accessed via a browser. From the computer on the same local network I can access the nas without any problems. With the smartphone connected to the wifi on the local network I can access the ip of the nas without problems. If I activate wireguard I can't access the nas ip but I can access the shared folder on the computer.

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 03:04:09 am

OK. Couple of suggestions. For my road warrior setup (ie remote clients connecting into OPNsense WG) I haven’t bothered setting up a separate interface and have just configured the FW rules on the default Wireguard group. BUT I have defined an alias for my tunnel network and have used that in the FW rule and the outbound NAT rule. I can use this setup to access my LAN and to go out to the internet via the tunnel (although the latter is slow, dunno whether it might be better with an interface defined - I pretty much only use this setup to access the LAN).

Alternatively if you have set up an interface I suggest putting your FW rules in that only (not the Wireguard group) BUT still using your own alias for the tunnel network. In your case I expect WGnet does not contain anything as the WG interface you have defined is not configured with any IPs.

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 03:43:36 am

A suggestion. It is not necessary to create exit rules to access the internet with wireguard. You can leave the rules in Firewall - Nat - Outbound on automatic. Opnsense creates them automatically. That works if you have created the interface for wireguard in Opnsense. In my case I have it created. I have created an alias ( Networks ) with the wireguard network. In Firewall - Rules - Wg I create a rule with source the created alias. In Firewall - Rules - Wireguard I don't have any rule. It does not work. I access the shared folder on the computer but not the nas. I have deleted that alias and created another Url ( ips ) with the ip of the wireguard client. It does not work. I access the shared folder on the computer without problems but not the nas.

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 03:53:39 am

Solved. In the end the problem was the nas firewall. I have deactivated it and it is working.

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 03:54:44 am

Tried restarting Wireguard? Otherwise I am out of suggestions. I can access everything on the LAN/VLANs that I have configured the remote peers fo access

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 03:55:38 am

Quote from: yeraycito on May 02, 2021, 03:53:39 am

Solved. In the end the problem was the nas firewall. I have deactivated it and it is working.

LOL. I might have mentioned that earlier...

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 03:57:58 am

It is a very basic firewall with very simple rules. I didn't imagine that's what it was. Thank you very much for your help and your interest.

Title: Re: Wireguard k-mod without lan access
Post by: Greelan on May 02, 2021, 02:40:30 pm

Quote from: yeraycito on May 02, 2021, 03:43:36 am

A suggestion. It is not necessary to create exit rules to access the internet with wireguard. You can leave the rules in Firewall - Nat - Outbound on automatic. Opnsense creates them automatically. That works if you have created the interface for wireguard in Opnsense.

I have added an interface to my setup for testing and see that OPNsense does add the tunnel addresses from the WG Local config to that interface, and that those addresses are indeed added to the automatic outbound NAT rule - but only IPv4. In my case my tunnel also uses IPv6 ULAs and so I need an additional outbound NAT rule for IPv6

Title: Re: Wireguard k-mod without lan access
Post by: yeraycito on May 02, 2021, 05:51:16 pm

Hi, I don't have ipv6 enabled on any interface so I don't have that problem.