Hallo,
just a couple of weeks ago I installed opnsense 21.7.1 (on an IPU675) for my home. Thanks to all who contributed - I really love this firewall!
Also with the help of this forum here, I managed to get thinks running when I was stuck.
Few days ago I started to segment my LAN into several VLANS (home, work, IoT, guest) mainly again without major problems.
In order to access my internal net from outside I installed and configured wireguard following the steps here https://docs.opnsense.org/manual/how-tos/wireguard-client.html (https://docs.opnsense.org/manual/how-tos/wireguard-client.html). Without any problems I can access my LAN (192.168.178.1/24) from outside.
But I haven't figured out how to additional access one (or more) of my VLANs, e.g. VLAN10 = 10.10.10.1/24.
From what I reat I guess it has something to do with checking "disable route" and implement the routes by myself (and a gateway?). But I'm not experienced enought to figure this out by myself....
Can anyone point me to the right direction here?
My server and client configs are attached.
Thanks!
You only need to add an appropriate firewall rule on the WG interface/WireGuard group to allow access to the VLAN IPs as destination, and ensure that on your client device that the Allowed IPs also include those IPs
Thank you Greenlan for the quick reply.
My client conf allready has the whole internet allowed:
[Interface]
PrivateKey = xxxxxxxxxxxx=
Address = 10.0.3.4/32, fd61:26bf:22e::4/128
DNS = 192.168.178.1
[Peer]
PublicKey = oOYNtnGYoPlwiEkz4yekmKHkcFqcM3psunRaHQ4et00=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = host.domain.tld:51820
I also have an firewall rule (see attachment) including my VLANs (I think..).
Perhaps I'm blind, but I still can't see an error....
Don't use the default "Wireguard net" as your source in the firewall rule. Manually specify the subnet or create an alias and use that (probably the latter in your case given you are using both IPv4 and IPv6)
Looking at that more closely, did you create your own WG interface called "Wireguard"? If so I think you have put the rule in the wrong place, ie not on that interface but the default WireGuard group?
I think we are getting closer... Yes, I have both Wireguard and WireGuard listed under Firewall -> Rules. Unter Interfaces I only have [Wireguard].
I created the Alias and put it in as source. Then I cloned the rule from WireGuard to Wireguard. Bit I still have only access to my LAN (192.168.178.1/24) and the whole external internet but not to my VLANs (e.g. 10.10.10.1/24).
Perhaps the following information is helpful: I can ping my opnsense-address in VLAN10 (10.10.10.1) but in the browser I get a timeout.
If you have defined an interface for WG, only create rules on it and use the "net" alias that is automatically generated for it. No need to create your own alias, and remove the rules from the default WireGuard group
Did you create the interface as per the tutorial?
OK. I deleted all rules from the default WireGuard group. I changed the allow rule source for Wireguard to "Wireguard net". No change.
I then also cloned the rule twice to also use "WireGuard net" and my own alias -> no change.
And yes, I followd the tutorial. (and everythings works perfect - except the access from wireguard to my VLANs...)
BTW, when I try to browse to 10.10.10.1 and I go to Firewall -> Log -> Live View with filter "dst=10.10.10.1" there are no hits.
Really no idea, then, sorry. All works fine for me with multiple VLANs, and I wrote that tutorial accordingly.
Try stopping and starting WG to see if it makes any difference.
Thank you very much for all your sugestions (and of course for the tutorial!). I will try to restart WG later and report back.
I just enabled loging for the accept rule and yes, traffic seems to be acceped:
__timestamp__ Aug 30 14:16:11
ack
action [pass]
anchorname
datalen 0
dir [in]
dst 10.10.10.1
dstport 443
ecn
id 0
interface wg0
interface_name Wireguard
ipflags DF
ipversion 4
label Allow WireGuard Traffic
length 64
offset 0
protoname tcp
protonum 6
reason match
rid eb8d0ac1c8fd688944b7a41aaae03423
rulenr 151
seq 3312224199
src 10.0.3.4
srcport 57998
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 64
urp 65535
So you are trying to access the OPNsense webgui? Is it even listening on that VLAN interface?
Finally, it's working!
I still don't know what was wrong. After several approaches I decided to remove the WG interface and started over at step 5 of the tutorial. And now I have access to my VLANs.
Can it be that it is important to assign the interface AFTER creating the VLANs.
Anyway, thank you again for you support. Sometimes it even helps when a guru says that it should work...