I've set WG up before, running directly on an Ubuntu server, but I'm a little unclear about how a few things work when doing it on OpnSense.
I'm running OpnSense on an older 4 port Protectli appliance. I'm using it just as a network appliance to run useful network services for me, for instance, as a separate gateway for VPN connectivity. And trying to move my WG peer off of my Ubuntu server onto it.
So, things I'm not clear on:
- When I install wg, and turn it on, I get 2 Interfaces, one I name, and one default called Wireguard. what I've read says you apply firewall rules to the one called Wireguard (and not to name yours Wireguard because of that auto created one- I name the one I can to wg or wg0 usually). I've been running all my services on a single port to this point, am I able to bind wg to the existing nic? It sorta seems like I can't, at least from the GUI, since OpnSense won't let me bind either wg interface to the nic port, since it's already got the LAN interface bound to it? Or do I not need to worry about that, i.e. it'll just be bound against the active port, I'm not seeing a way to specify an actual IP or interface for it to listen on so...?
- In trying to get this working, the binding confusion I had above, made me decide to try putting it on a different NIC port, dedicated just for it, and that NIC port, I'll put attach to a switch port in a different VLAN entirely, just to support WG operations. But of course, as I said earlier, I'm not quite clear if/how I can bind it, or which one of the two interfaces wireguard interfaces I should be binding (through the Assign screen) directly to the NIC port. I've been getting some really weird behaviors when I bind the interface I named (which I usually call wg or wg0) directly to it's own port, but I've been trying enough things to make this work, it could be I had a mis-configuration elsewhere.
- I need to go back and review setups, but I'll ask here again anyway. Assuming I have wg running against the same interface/port as everything else, do I assume I need to allow that port (the 51820, I just use that one) at both the normal interface firewall rules and the Wireguard interface rules for clients to connect, or just the actual interface bound to the nic port?
The guides I've been following to get it running on OpnSense haven't quite fit, since OpnSense isn't running as my edge router/firewall, and I've been trying to fit what's going on into what I had to do to get it setup on Ubuntu, but it doesn't seem to be falling into place for me, so any help is appreciated!
Thanks!
Well, I went through my setup from zero (uninstall WG, re-install, reconfigure everything) and it worked this time. I'm not sure what I did differently, if anything.
It does seem just leaving IP stuff empty on the named interface that's bound to the network device is fine, and I guess the device, wg0, just uses default routes? I might try and figure out how to get it to bind to a different nic later, but I'm not worried about it right this moment.
I did forget I needed a firewall outbound allow rule on the Wireguard ruleset to get traffic to go beyond local; I hadn't gotten as far as even successful handshakes in the past, so I hadn't worried about outbound connections until now. Once I dropped that rule in, the last part started working as I wanted.
Glad you got it working.
This thread (https://forum.opnsense.org/index.php?topic=22778.0) will help explain what the default "Wireguard" is (tldr; it is an interface group, not an interface).
You can't/don't "bind" the wgX interface to a NIC.