So, I have a Wireguard VPN setup and somewhat working.
Opnsense, the Unraid server, and other hosts on the LAN will respond to pings, and their webpages are accessible through the tunnel. Going to smb://10.10.x.y (Unraid server ip address) through the tunnel shows the available SMB shares, and they seem to work and be fairly responsive.
However simply going to "Network" in the file explorer to see available network resources finds nothing, and neither do network drives mapped to locations specified as: smb://hostname.local/sharename. Ideally access to network resources would work when connected via VPN just as they do when connected on the LAN.
From my research this is likely because network discovery relies on layer 2 broadcasts which can't get through the Wireguard tunnel. My research hasn't turned up a workaround for this. Is automatic network resource discovery just not possible through a Wireguard tunnel? Any clues on this front would be greatly appreciated.
Not sure if this is related but connected clients are also unable to get internet access through the tunnel. I've gone through the OPNSense Road Warrior and the homenetworkguy.com guides, and double checked everything including that Wireguard is on Unbound's ACL list, but no joy.
I don't use wireguard but OpenVPN so let me explain a little thing: There are two interface modes: TUN and TAP. An interface in TUN mode transports L3 (IP) traffic to the other endpoint. There is no L2 encapsulation. This avoids unnecessary traffic, as you don't want broadcasts etc. go over the line permanently. It is also more efficient. Then there is the TAP mode, that transfers L2 Frames such as it would happen if you attach an Ethernet cable. This mode also transports broadcasts / multicasts such as service discovery features.
To make that work, you will likely have to get two things done:
1) Run the VPN in TAP mode
2) Relay the Multicast / Broadcast packets
I guess you have to find out, how you can use a TAP device in wireguard first.
On the other hand:
Your network should work without zeroconf etc.
Suggestion:
When you are directly connected to the LAN, are you able to see network resources then, 'by simply going to Network?
Does your DNS resolution work for hosts on the LAN (can you 'ping unraid-server', by hostname?)
Do you have static mapping of the IP Address of the Unraid server?
Which DNS service are you using? Unbound? There is a setting for 'Register DHCP static mappings' - is this checked?
I am not sure how Network Discovery in Windows works. Does it not rely on broadcast traffic? I do not think Broadcast traffic can traverse different networks / subnets. Probably you will have to make sure to enable NETBIOS or something in Unraid, and then use the OPNsense as a NETBIOS server- so that it can announce stuff on your WG interface to your 'Windows Network Discovery' devices.
Internet through the WireGuard tunnel; a quick check can be:
can you ping 1.1.1.1?
can you ping microsoft.com?
If you cannot ping microsoft.com, but 1.1.1.1- then you have a DNS issue- otherwise, as I see it, "internet" is working just fine (or, atleast the ICMP protocol is allowed ping & pong).
Do you have any rules on your WireGuard interface? Further troubleshooting on this matter I would suggest a rule where you enable logging on the interface to see whats up.
What type of Outbound NAT do you have?
Thanks for the replies and the input.
When directly connected to the LAN, yes network resources can be seen by browsing to "Network" in the file explorer. Yes, hosts respond to ping requests when using their hostname.
Yes static mappings are setup for the Unraid server and several other hosts on the network. Yes "Register DHCP static mappings" is checked.
It does seem that NETBIOS doesn't propagate across different subnets, was hoping for some sort of replacement or workaround to still get discovery working.
I made a little progress on the internet issue. The two clients Wireguard is being tested with are an android phone and a linux laptop.
There's a firewall rule for the Wireguard VPN interface (WG_VPN) which passes traffic from source "WG_VPN net" to destination "any". With the android phone this seems to work just fine both for accessing the LAN and the internet. With the laptop however it can't seem to get to anything. If I change the destination to "LAN net" I can access LAN hosts but not the internet. In neither case do hostnames seem to work.
WG is purely layer 3
Post configs for OPNsense and your laptop so the internet access issue can be troubleshooted
Do you know what the DNS server of the Android phone is using? How is it possible that 'internet seems to work for Android phone', but you are not able to ping any hostnames (microsoft.com / google.com)?
You have remembered to NOT use / define the "DNS server" in the WireGuard configuration (as it would break DNS settings?)
Can you ping the Local IP adress with the Peer used for laptop? e.g. the WG interface. ..
On your laptop, you are unable to access https://google.com, but https://1.1.1.1 works? Then it is a DNS issue. ..
As Greelan says, post configurations.
:)
Thank you all for you input and questions. Forcing me to go back through stuff helped. I think the internet part is resolved. But in the interest of completeness here is the behaviour I was getting:
(https://i.ibb.co/QXQ5ZXx/Screenshot-20220109-000431.png)
The problem on the linux laptop was that I had somehow set a gateway in the wireguard config. Deleting it caused everything to line up with the android phone.
On the SMB side, just to confirm, there's no way to get host resolution for SMB shares working through a wireguard tunnel? There's not a server or relay or some other magic that can be put in place to bridge the necessary L2 traffic across the subnets?
Hi
QuoteOn the SMB side, just to confirm, there's no way to get host resolution for SMB shares working through a wireguard tunnel?
"network neighborhood"?
M$ made the process quite confusing. it will depend on both the capabilities of the client computer and the network settings. in theory, this can work with a WINS server(s) (then client will find the master browser, connect to it and ask for a list of servers). and now I don't even remember whether it is possible to make it work without a AD domain (imho the PDC played a huge role there, collecting\sharing information from\with master browsers).
or is it just a matter of using the "\\PC" syntax?
I have a similar issue:
WG via cellular I can access my router and interfaces.
WG via remote WiFi I cannot access my router but I can access my interfaces.