OPNsense Forum

English Forums => Virtual private networks => Topic started by: ovig on March 23, 2022, 03:42:37 pm

Title: WireGuard Road Warrior setup with no WAN connection
Post by: ovig on March 23, 2022, 03:42:37 pm

I am new to OPNsense and am trying to configure it to start with as a "road warrior VPN concentrator for WireGuard"

I have seen the Road Warrior Setup page in the manual but have a slightly different setup which I cannot find reliable information on either there or on Google: rather than OPNsense being "the main firewall" with a WAN and a LAN connection, it sits on the LAN only, behind another firewall that forwards ports tcp/51822 and udp/51822 to the OPNsense box. Currently, LAN is configured as 192.168.1.0/24, with .55 as the OPNsense box and .254 as the default gateway.
So in effect I need the OPNsense/WireGuard configuration to:
- accept incoming WireGuard connections on port 51822 of the the LAN intf
- route VPN traffic for devices on the LAN (e.g. 192.168.1.123) back out onto the LAN intf
- route VPN traffic for "the Internet" (ie. not LAN addresses) onto the LAN intf and onward to the default gateway

After messing about with the config. on my own and getting nowhere fast, I have now completely reset the OPNsense configuration and am ready to start afresh... but don't know where to start!
Has anyone got a similar configuration working; or at least point me to some resource covering this particular use case?
Any help will be greatly appreciated.

Title: Re: WireGuard Road Warrior setup with no WAN connection
Post by: spider on April 05, 2022, 06:46:57 am

Hi,

I wonder if your problem is similar to mine, it sounds like it.

Code: [Select]

                                                                               ********   
    +-------------------+                      +-------------------+          **      **
    | OPNsense Test     |  WAN ---------> LAN  | OPNsense Firewall | WAN --> * Internet *
    |                   |  LAN            DHCP |                   | static   **      **
    +-------------------+   | 10.10.0.1        +-------------------+           ********   
                            |
                            v 10.10.0.100
                +-------------------+
                | Workstation       |
                |                   |
                +-------------------+
In the above diagram, the OPNsense Test box is set up as a WireGuard client. As documented in https://docs.opnsense.org/manual/how-tos/wireguard-client.html

If the OPNsense Firewall is replaced with an Asus 4G router, then WireGuard connects correctly. I'm wondering if anything needs to be configured in the OPNsense Firewall box, As the OPNsense Test box initiates the connection I don't think it needs port forwarding runs.

Any help would be gratefully applauded.
-spider

Title: Re: WireGuard Road Warrior setup with no WAN connection
Post by: spider on April 11, 2022, 05:58:58 am

I figured this out for myself, purely by chance. There was some history on the other side of the WireGuard connection that was using the same IP address.