OPNsense Forum

I'm going to apologize right off the bat for the long post.  I have been working on this for days now and for the life of me, can't figure out what is wrong.  I have removed the VPN tunnel, rules for it, and started over again using the OPNsense guide https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html).

I'll post my configuration and hoping someone smarter then me can figure out what I'm doing wrong.

First I have the Local and Endpoint set up with the keys in the VPN/Wireguard.

https://filerun.photosandbrew.xyz/wl/?id=vVuBCdi6DjdfxF89D76dfd7DD8aWp9nI (https://filerun.photosandbrew.xyz/wl/?id=vVuBCdi6DjdfxF89D76dfd7DD8aWp9nI)

https://filerun.photosandbrew.xyz/wl/?id=OjcufWbascryZFlkGot6SqkbXatTcnbk (https://filerun.photosandbrew.xyz/wl/?id=OjcufWbascryZFlkGot6SqkbXatTcnbk)

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk (https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk)

I then created the gateway.

https://filerun.photosandbrew.xyz/wl/?id=btQam2dAXALq5ikCqPmQOtasvrLnrRPB (https://filerun.photosandbrew.xyz/wl/?id=btQam2dAXALq5ikCqPmQOtasvrLnrRPB)

I created two aliases.  One for my device to be used on this tunnel and one for the local access as outlines in the guide.

https://filerun.photosandbrew.xyz/wl/?id=xP2mxmoBSrH3Hojb6OJgr7E8zXP1a3jh (https://filerun.photosandbrew.xyz/wl/?id=xP2mxmoBSrH3Hojb6OJgr7E8zXP1a3jh)

https://filerun.photosandbrew.xyz/wl/?id=adsCcbLPmQJ6pDgwwZgwGRYdgqqpJhbx (https://filerun.photosandbrew.xyz/wl/?id=adsCcbLPmQJ6pDgwwZgwGRYdgqqpJhbx)

Next I created the firewall rules.
Lan Rules

https://filerun.photosandbrew.xyz/wl/?id=Du7AJQfide57IuyfeXLlo4zm7x9eSVAw (https://filerun.photosandbrew.xyz/wl/?id=Du7AJQfide57IuyfeXLlo4zm7x9eSVAw)

https://filerun.photosandbrew.xyz/wl/?id=lpTzcJm6YzE4dlYS2PI0xBMjsDrtQc0b (https://filerun.photosandbrew.xyz/wl/?id=lpTzcJm6YzE4dlYS2PI0xBMjsDrtQc0b)

Floating Rules

https://filerun.photosandbrew.xyz/wl/?id=9y85DwAr8qoPbpFmJWScvtHbyGtRzcYi (https://filerun.photosandbrew.xyz/wl/?id=9y85DwAr8qoPbpFmJWScvtHbyGtRzcYi)

Outbound NAT rules

https://filerun.photosandbrew.xyz/wl/?id=Tu6KIVQm312djBTktfmmLXb2PPmo1vd1 (https://filerun.photosandbrew.xyz/wl/?id=Tu6KIVQm312djBTktfmmLXb2PPmo1vd1)

I did not put in a kill switch yet.  But this is everything I've done with this.  I'm able to connect to my local resources, but cannot get out to the internet.  In the future, I want to start using Adgaurd on my OPNsense and turn of Unbound, i'll have to tackle that later.  What am I missing?

I follow the document settings, but I can't Passing Traffic. I have tested many settings, but the problem still exists.

OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?

I set up exactly according to this document, and I can access the LAN resources of the server, but the Internet cannot be accessed through the server. I have tested using Openwrt or Windows Wireguard to connect to the server and everything is normal, but there is a problem with OPNsense as a client accessing Internet through the server. This problem plagues me. It's been a long time, can anyone help me? Thanks

Rather than hijacking someone else's thread, make your own post and get help there. Your issue and setup may be completely different to the OP's and you are only confusing things.

Quote from: Greelan on March 27, 2023, 03:54:46 PM
OP, why are you masking the tunnel address and gateway address?

Why is the tunnel address a /16?

Have you include the correct gateway on the OPNsense local config?

You know, that's a good question.  I was tired when I was grabbing screen shots and I think i just started masking any IP I saw. 

The tunnel address is a /16 since it called for it on the SurfShark config and it matched the instructions.

For the gateway on the OPNsense local config, I might be confused on what you mean by this. 

This is the gateway of the VPN tunnel

https://filerun.photosandbrew.xyz/wl/?id=zc3XfZ6hHww08cb0vagQmcc2dkYwBzrX (https://filerun.photosandbrew.xyz/wl/?id=zc3XfZ6hHww08cb0vagQmcc2dkYwBzrX)

This is what I have set in the gateway section in OPNsense.

https://filerun.photosandbrew.xyz/wl/?id=cdJmySSmHNzb0cNXHaSf3SdrCGvY96bB (https://filerun.photosandbrew.xyz/wl/?id=cdJmySSmHNzb0cNXHaSf3SdrCGvY96bB)

It shows online to the endpoint IP.  When I do a traceroute through that gateway, I see it go through the tunnel so I would think the tunnel works... Right??

Here is the .conf from surfshark that I am using. I haven't done anything with the DNS IP since I want the VPN to us Adguard for DNS.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820

So I rebuilt the rules again and this is weird. I can traceroute from the vpn tunnel and it connects and completes. I have my cell phone set to be the only thing to route through it and I can get to google, but I can't get to any other domain. 

https://filerun.photosandbrew.xyz/wl/?id=IOYS7ym9NBNW7oOgLEQw4LuAVH0BKx5C (https://filerun.photosandbrew.xyz/wl/?id=IOYS7ym9NBNW7oOgLEQw4LuAVH0BKx5C)

A traceroute from the phone would be more useful

Here is the traceroute.  It hits my OPNsense but that's as far as it gets.

https://filerun.photosandbrew.xyz/wl/?id=6CdlqvkBEjfsimdwSkepu30tA6OcnSwL (https://filerun.photosandbrew.xyz/wl/?id=6CdlqvkBEjfsimdwSkepu30tA6OcnSwL)

Do want to add, when I disable this rule, my connection goes over my normal ISP connection and my traceroute goes all the way through.

https://filerun.photosandbrew.xyz/wl/?id=zLf8ljlHIo1ddxQvdBXMy0oQ7QLMHTjg (https://filerun.photosandbrew.xyz/wl/?id=zLf8ljlHIo1ddxQvdBXMy0oQ7QLMHTjg)

Quote from: shrekfx on March 25, 2023, 11:36:36 PM

I assigned the VPN to an interface and enabled it.

https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk (https://filerun.photosandbrew.xyz/wl/?id=EthJSTpN2WDN8mmTdO12389rrx8hUqvk)

You need to assign IPv4 address (10.14.0.2) to the interface.
Also might need to tick the "This interface does not require an intermediate system to act as a gateway".

You actually don't. It will be auto-assigned.

OP, I will do a closer review of your config and let you know any further thoughts I have.

Do you know the tunnel IP at the SurfShark endpoint?

Would this be the endpoint at the end of this config.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Smruh1SmMqi7CecjV/+yI4Sy62gpAr+Uddq+9K6iLB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 45.43.19.209:51820

So I've gone through your configs and nothing seems immediately wrong.

A few questions:

- when the tunnel is up, do you see handshake and traffic up and down in the status tab for WG on OPNsense?

- can you try a gateway IP that instead of one below the tunnel address, try one above (10.14.0.3). I have a sense that 10.14.0.1 might be the tunnel endpoint IP at SurfShark. While that should still work, be good to try a unique one

- this looks like your second WG interface. No conflicts with the first one?

- to rule out DNS issues, try a traceroute from your phone to 8.8.8.8 or 1.1.1.1

- what DNS is the phone actually using? Can it reach it when the tunnel is up?

Yes, when the tunnel is up I see the handshake and there is the small amount of keep alive traffic.

I'll try changing the gateway and see if that does anything.

It's my 2nd one yes.  The first one is a road warrior setup to connect to my network from outside.  No conflicts there, all on a different subnet.  When I am connected to that VPN, I am able to get into my network and get out to the internet just fine over my ISP connection.  Havent even tried over the VPN out to surfshark yet. lol
 
I'll double check pinging those IP addresses, but I'm sure i was able to before, but will do it again.

When not on the tunnel, my phone is set to use the DNS handed off by OPNsense which is set for Adguard Home, which is installed on the OPNsense.  I have took that off and ran it through Unbound DNS and have tried running it only through 1.1.1.1 and 8.8.8.8 and still no connection out to the internet via the VPN.

No changes made, connected to the tunnel on my cell and able to ping 8.8.8.8 but not able to do a traceroute.

I tried updating the gateway as well and still nothing.  It is weird though, I was able get to google.com and do a whatismyIP and I get the VPN IP of the end location.  But was not able to get to any other websites.

Is there traffic shown both ways in the Status tab?

It is normally a sure sign of an issue that there is traffic only one way.

Double checked all keys are in the right place?

endpoint: 154.16.169.77:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 47 seconds ago
  transfer: 4.69 MiB received, 1.21 MiB sent
  persistent keepalive: every 25 seconds

Damn. Lol

This is a bit of a mystery. I can only suggest double checking the outbound NAT rule and that nothing else is interfering with it.

Have you tried turning on logging on the relevant rules and checking what's happening? Or running packet captures?

I'll do that. worse case i'll rebuild my opnsense and rebuild the vpn. lol I don't have much rules on it so it would be no huge deal, except for the one person that connect to my tunnel. 

I have looked at the logs on these rules and they all seem to be working that i could tell and i struggle with packet captures lol.

You can do a pcap on OPNsense via the UI. Pretty easy