OPNsense Forum
English Forums => Virtual private networks => Topic started by: alscx on December 26, 2022, 01:16:13 pm
-
Hello,
I have two Wireguard interfaces. One as client to Mullvad VPN and the other as a server to a road warrior smartphone client. By reading the docs, googling and asking around I managed to make everything work.
Just one little thing missing that I don't know if is not possible or I'm lacking the knowledge to implement.
Thing is I enabled the VPN options "Always on" and "Block connections without VPN" on my phone, so that I can keep the VPN always up, no matter if I'm at home or outside, or using wireless or 4G. It kind of works, but I noticed that:
- If I'm home and using wireless everything works fine. If in order to test I turn the wireless off and turn on 4G I can't ping anymore, unless I disable and reenable the Wireguard connection on the phone.
- If I'm using 4G everything works (I can ping my other LAN machines, the Internet, etc) but If I turn on wireless the same thing happens. I can't ping no more and have to quckly disconnect and reconnect the Android Wireguard app.
I noticed that if I do what this guy (https://www.reddit.com/r/PFSENSE/comments/wq6fjz/comment/ikks3m4) suggests (split DNS) and works, but when I'm connected from wireless it acts as if I'm connected from outside (pings with higher latency, slow ssh connections, etc).
Someone suggested Hairpin NAT (or NAT reflect, that I believe is the same concept). I enabled the corresponding options on "Firewall -> Settings -> Advanced", but apart from that I have no idea about what to do.
So in short, is keeping the VPN always up on my smartphone and being able to connect both outside my LAN and behind my firewall possible to implement?
I'd appreciate any input from someone more experienced.
-
Unsure what you mean by
If I'm home and using wireless everything works fine
By the looks of it you're missing a port forward rule as follows:
Source WiFi_Vlan (or Device_IP) Destination Wan_IP:Wireguard_Port --Redirect to 127.0.0.1:Wireguard_Port
This would make your transition in and out of home WiFI seamless on WG side.
-
Sounds to me like an issue with the app. It should know to reconnect to the VPN on a network change but sounds like it doesn't do that, so the tunnel becomes stale
-
Tho I'd expect NAT reflection would solve your issue?
Tbh, I exclude my wireless SSIDs in my apps so while the VPN always connects on demand it doesn't so when I am on wifi. There is no point for my road warrior to do so when I am at home.
-
I just did a test without excluding my wifi SSID in the app. Switching between wifi and 4G is fine (tunnel continues to work), and ping etc is as expected depending on the network the device is on. So NAT reflection does seem to provide the answer
-
Thank you for your interest.
I generally keep both the wifi and 4G up all time on my Android phone. The same goes with the VPN (with that kill switch "always on" option that Android provides).
So on this context If I'm at first using wifi everything works well, connected through the VPN, with low latency on pings, etc. If I turn off the wifi the link keeps up on the 4G and the VPN link keeps working (with the obvious change on the latency, considering I'm now connected on a slower link). The problem is that if I turn on wifi once again although it keeps connected the connection becomes slower (in fact even slower than the 4G) even when accessing other machines on my LAN and it only behaves as expected if I disconnect and reconnect the VPN on my smartphone. It's as if I was connecting from outside my LAN, not internally via my wifi.
I imagined that, based on what I've read so far (and now from your suggestion), either DNS split or NAT Reflection could solve my issue.
Could you give me a little more details and point me in the right direction on how I may implement it? I mean... I already enabled the corresponding options on OPNsense, but I have no idea about what to do now.
-
Unsure what you mean by If I'm home and using wireless everything works fine
By the looks of it you're missing a port forward rule as follows:
Source WiFi_Vlan (or Device_IP) Destination Wan_IP:Wireguard_Port --Redirect to 127.0.0.1:Wireguard_Port
This would make your transition in and out of home WiFI seamless on WG side.
Hey, thanks for taking the time to help me.
What I mean is I keep both my wifi and 4g always on. The ideal scenario would be that when outside it connected using the 4G and once I get home it keeps the smartphone connected using the wifi (without having to turn off the VPN).
Well... these last couple of weeks is my first experience using opnsense. I'm not that used with its syntax yet.
Is the following what you're suggesting?
WAN UDP WG net 51825 WAN address 51825 127.0.0.1 51825
-
Could you give me a little more details and point me in the right direction on how I may implement it? I mean... I already enabled the corresponding options on OPNsense, but I have no idea about what to do now.
I simply have “reflection for port forwards” and “automatic outbound NAT for reflection” enabled on OPNsense, and have a subdomain that points to my public IPv4 IP (via public DNS, no split DNS) in the Endpoint configuration for OPNsense.
BTW, you don’t need a port forward imho.