I am currently running OPNSense 21.7.5 with the Wireguard kernel driver and I'm having some issues with the connection speed.
My current configuration look something like this
[Public IP] --mysite.example--> [VPS] ==WireguardTunnel== [OPNSense] --localhost--> [Nginx ReverseProxy]
Unfortunately, I am double nat-ed and I would like to keep all my HTTP certs local, so this is way I would like to handle any traffic.
My Wireguard Road Warrior has no problems. My phone/laptop/etc has no problem connection to the VPN and having access to all my services. It is just public traffic that has any problems.
There are no dropped packets, everything is routed correctly, but the speed is very slow (~6kbps). Using tcpdump, you can actually see the traffic "stall" for about a quarter of a second waiting for a response from Nginx for each group of packets.
One solution, which I don't like, is to masquerade any traffic from the VPS over the VPN. Causing all the traffic to appear as though it is coming from the VPS directly. With this, I lose the ability to see IP logs in Nginx, but does fix the speed problem.
Another solution is to have an pseudo-allow list in the route table. Adding the source IP to be routed out the VPN gateway causes it to work, but this is just a hack.
To recap, my Wireguard setup works, but public traffic is very slow (6kbps). I do know hard-coding the routes fixes the issue, and that I need a reply-to rule to get the public traffic to "work" without a hard-coded route, but again this is the slow option (6kpbs). Masquerading the traffic to appear from the VPS also works, but it undesirable.
With all this, I believe the problem lies within the routing, but I don't have the knowledge to dig much deeper than I already have.
I am unsure if the problem is with OPNSense or FreeBSD. If I had to guess, I would think this might be a FreeBSD issue, but I think other people have had similar setups without much issue.
I would be happy with any advice or troubleshooting anyone could provide. I would also be happy to clarify anything further.
So you are port forwarding through the WG VPN?
If so (and this may be totally not related), maybe you are hitting the reply-to issue for which there is a solution here (https://github.com/opnsense/core/issues/4389#issuecomment-865349224)
Quote from: Greelan on November 17, 2021, 03:04:11 AM
So you are port forwarding through the WG VPN?
If so (and this may be totally not related), maybe you are hitting the reply-to issue for which there is a solution here (https://github.com/opnsense/core/issues/4389#issuecomment-865349224)
I am port forwarding through a WG VPN, but my current issue is not that same as that GitHub issue. I did come across that issue before and it fixed my routing issue, but now its a problem of speed.