Hello,
I followed this article:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
but I never be connected through VPS.
I have successfully setup a wireguard vpn server in VPS, and wireguard client on my raspberry pi.
Now I want to route all traffic from local network via opnsense to VPS (wireguard server) with the same setup. I don't want to use raspberry pi as wireguard client. I want the wireguard client will be the opnsense firewall instead raspberry pi and wireguard server the vps as it is.
Is there anyone can be solve this problem?
I appreciate any help.
Thank you.
There's very little support or documentation for any of us messing with External VPN's. I've been posting here looking for help for days now and rarely does anybody contribute
OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps. And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!
Quote from: frozen on November 17, 2023, 05:21:42 PM
There's very little support or documentation for any of us messing with External VPN's. I've been posting here looking for help for days now and rarely does anybody contribute
OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps. And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!
I believe in people here. I hope to someone here that know much more than me for wireguard opnsense. I have been waiting someone to help me.
Quote from: frozen on November 17, 2023, 05:21:42 PM
There's very little support or documentation for any of us messing with External VPN's. I've been posting here looking for help for days now and rarely does anybody contribute
You know this is a community forum ? If you need a fix _now_ for your mission-critical setup: https://shop.opnsense.com/product-categorie/support/
Quote
OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps.
Where can we find your lean-and-mean, just enough, easy configuration How-To, really like to read it.
Quote
And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!
Just send packets, no magic involved...
Is anybody here? Can anyone help me?
I am able to post more information if you wish!
Thank you
If you do not post all details of all your configuration concerning that VPN how should anyone help? Remove private keys, of course but we need all tunnel settings, all IP addresses, all associated firewall rules - of course.
Here we go...
I can't post more pictures
more pictures
more pictures
Is the tunnel up and can you ping the internal tunnel address at the other end from the firewall?
Second NAT on the firewall won't be enough. Once the tunnel works you will need to NAT all oubound traffic to the public IP of the other end. And this must be done at the other end.
Quote from: Patrick M. Hausen on November 20, 2023, 03:14:45 PM
Is the tunnel up and can you ping the internal tunnel address at the other end from the firewall?
Second NAT on the firewall won't be enough. Once the tunnel works you will need to NAT all oubound traffic to the public IP of the other end. And this must be done at the other end.
First of all thank you very much...
When enable tunnel it doesn't work anything. So, I cannot ping. So, would you like tell me what rules I need?
From where do you ping where? You need to open a shell on the firewall with SSH and ping the other side of the tunnel.
Quote from: Patrick M. Hausen on November 20, 2023, 08:33:34 PM
From where do you ping where? You need to open a shell on the firewall with SSH and ping the other side of the tunnel.
Look at the result of my ping . This is from opnsense shell...
wg
netstat -rn
please.
Also what does the WireGuard configuration on the VPS look like?
Quote from: Patrick M. Hausen on November 20, 2023, 09:05:03 PM
wg
netstat -rn
please.
Also what does the WireGuard configuration on the VPS look like?
I ddn't understand what do you mean "Also what does the WireGuard configuration on the VPS look like?"
please look at the picture..
netstat -rn, not netstat -m ...
Also: you are trying to set up, a VPN tunnel to some VPS in some cloud, right? So you must have installed and configured WireGuard at that end ...
Quote from: Patrick M. Hausen on November 20, 2023, 09:13:08 PM
netstat -rn, not netstat -m ...
Also: you are trying to set up, a VPN tunnel to some VPS in some cloud, right? So you must have installed and configured WireGuard at that end ...
Yes I have setup a wireguard server on VPS in other country. Do you want the setup of wg0.conf file of wireguard server???
Yes, of course.
Looks good. Specifically the netmasks and allowed IPs.
So to approach this a bit more systematically - could you change the allowed IPs on the OPNsense side to 10.217.30.1/32?
Then with the tunnel up your general Internet access and routing should not be influenced in any way.
But logged in to the firewall with ssh you should be able to ping 10.217.30.1. The other way round logged in to the VPS you should be able to ping 10.217.30.2.
As long as that is not the case you need not worry about routing, gateways, whatever ... for some reason the tunnel is simply not established.
Did you add a firewall rule on WAN (on OPNsense) permitting the WireGuard UDP port in? Is there a firewall active on the VPS, possibly?
HTH,
Patrick
Quote from: Patrick M. Hausen on November 22, 2023, 12:08:58 PM
Looks good. Specifically the netmasks and allowed IPs.
So to approach this a bit more systematically - could you change the allowed IPs on the OPNsense side to 10.217.30.1/32?
Then with the tunnel up your general Internet access and routing should not be influenced in any way.
But logged in to the firewall with ssh you should be able to ping 10.217.30.1. The other way round logged in to the VPS you should be able to ping 10.217.30.2.
As long as that is not the case you need not worry about routing, gateways, whatever ... for some reason the tunnel is simply not established.
Did you add a firewall rule on WAN (on OPNsense) permitting the WireGuard UDP port in? Is there a firewall active on the VPS, possibly?
HTH,
Patrick
Where is this option to change? Would you like to give me more specific details? Do you mean from instanse inside opnsense ?
I already have 10.217.30.1/32 in section allowed IPs . Look at my pictures in previous posts.
Inside firewall opnsense I am able to ping 10.217.20.1. From the other side inside the vps server I am able to ping 10.217.30.2 too.
I post firewall rules that I have inside OPNsense Firewall->Rules>Wan
Please, look at my pictures carefully...
Thank you Patrick!
If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.
Quote from: Patrick M. Hausen on November 22, 2023, 04:10:08 PM
If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.
Patrick, this setup (Wireguard Server and Wireguard CLient) I have been tested on raspberry. Wireguard server is the vps as it is now, and wireguard client was on the
raspbery with debian. This setup is working successfully. Now I want to setup wireguard client on OPNsense firewall. So for your question about NAT my answer is that I already have masquarde to outbound and I have already port forward from VPS (wireguard server 10.217.30.1) to wireguard client opsense (10.217.30.1) Do you want post all iptables rules?
So, I connect via ssh to vps wireguard server, then from terminal I ping 8.8.8.8 with success.
what command do you need for tcpdump? What I have to do? I have to ping 8.8.8.8 inside vps and from the second terminal on my local computer tcpdump? tcpdump what? I don't know what command I have to ...
Thank you Patrick!!
Quote from: novel on November 22, 2023, 09:08:48 PM
Quote from: Patrick M. Hausen on November 22, 2023, 04:10:08 PM
If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.
Patrick, this setup (Wireguard Server and Wireguard CLient) I have been tested on raspberry. Wireguard server is the vps as it is now, and wireguard client was on the raspbery with debian. This setup is working successfully. Now I want to setup wireguard client on OPNsense firewall. So for your question about NAT my answer is that I already have masquarde to outbound and I have already port forward from VPS (wireguard server 10.217.30.1) to wireguard client opsense (10.217.30.1) Do you want post all iptables rules?
So, I connect via ssh to vps wireguard server, then from terminal I ping 8.8.8.8 with success.
what command do you need for tcpdump? What I have to do? I have to ping 8.8.8.8 inside vps and from the second terminal on my local computer tcpdump? tcpdump what? I don't know what command I have to ...
Thank you Patrick!!
UPDATE
from terminal inside VPS I put "ping 8.8.8.8" then the second terminal on my local home pc I put "sudo tcpdump -i enp35s0 dst <PUBLIC IP WIREGUARD SERBVER>
The result: are when I put tcpdump -i.......to vps I have no result from tcpdump. When I ping 8.8.8.8 from vps then I have result from tcpdump ....I thing that it is ok ... Do you want to send you screenshot from ping and tcpdump?
You need to ping from a client behind your OPNsense and tcpdump on the external interface of the VPS - why did you do it the other way round? Did I completely misunderstand anything? You want all Internet directed traffic from your LAN routed through the tunnel so it uses the IP address of the VPS as its exit point. Right?
I want to check if the packets originating from your LAN
- make it through the tunnel
- make it to the outside interface of the VPS
- are correctly masqueraded at that location
Quote from: Patrick M. Hausen on November 22, 2023, 09:41:56 PM
You need to ping from a client behind your OPNsense and tcpdump on the external interface of the VPS - why did you do it the other way round? Did I completely misunderstand anything? You want all Internet directed traffic from your LAN routed through the tunnel so it uses the IP address of the VPS as its exit point. Right?
I want to check if the packets originating from your LAN
- make it through the tunnel
- make it to the outside interface of the VPS
- are correctly masqueraded at that location
First of all I am not sure if I understand what did you say.
Inside GUI OPnsense I enabled the wireguard vpn
then from my local pc I put ping 8.8.8.8 the result are negative.
PING 8.8.8.8 bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
Then from terminal VPS wireguard server I put sudo tcpdump -i eth0 dst PUBLICK IP OF VPS ----NOT MY PUBLIC IP FROM MY COUNTRY
THE RESULT ARE ...LOOK AT THE PICTURE
I am not sure if you want this..
Do you have an explicit gateway set in you firewall rule on LAN?
Quote from: Patrick M. Hausen on November 22, 2023, 10:43:07 PM
Do you have an explicit gateway set in you firewall rule on LAN?
No I don't know what firewall rules I have to put. Please show me ....what rules I have to put....Please
Look at the gateway and routes....
What do the firewall rules on LAN look like? I don't know what to put there, because I don't know all you want to achieve. But I am an experienced network engineer. I can look at an existing set of rules and say "look, that's why the packets are not entering the tunnel". I just have not found the cause yet.
Did you already post a screenshot of Firewall > Rules > LAN above? If not, please do so.
Quote from: Patrick M. Hausen on November 22, 2023, 11:05:26 PM
What do the firewall rules on LAN look like? I don't know what to put there, because I don't know all you want to achieve. But I am an experienced network engineer. I can look at an existing set of rules and say "look, that's why the packets are not entering the tunnel". I just have not found the cause yet.
Did you already post a screenshot of Firewall > Rules > LAN above? If not, please do so.
Please, look at the firewall rules
I have AnyDesk installed and am prepared to grant anybody access to it who thinks they can assist with this - and I'd post detailed information on how to resolve this, once it's resolved - as you can see many of the top posts in this forum are regarding this topic.
I have nothing to lose, nor risk, on this machine and can easily restore from backup when the experimentation is done
I have:
Established tunnels and gateways as per instructions
Established and port forwarded wireguard so its ready to receive clients
I am ready for any assistance, thank you
Please post the details of the IPv4 "allow all" LAN rule.
What do you mean by "receive clients"? I thought you want to tunnel LAN traffic through a static VPN to a VPS located elsewhere? This is getting more complex every day ;)
Quote from: Patrick M. Hausen on November 23, 2023, 08:12:58 AM
Please post the details of the IPv4 "allow all" LAN rule.
What do you mean by "receive clients"? I thought you want to tunnel LAN traffic through a static VPN to a VPS located elsewhere? This is getting more complex every day ;)
Hello again my friend.
I want to tunnel all local traffic through a wireguard tunnel to a static IP from vps. VPS has static vps. My ISP has dynamic IP. I already set in my opnsesne dynamic ddns with ddclient plugin then update every 5 minutes.
Patrick, some people pay a vpn to avoid some restrictions in their countries. I do the same, but I have setup my vpn myself. Do you understand my project. As I said I sucessfully setup in the past with wireguard client inside the raspbbery pi, then raspberry pi forward the traffic in my pc. At the moment I want to setup wireguard client on OPNsense firewall.
I upload some pictures from my Firewall->Rules->Lan. I have to say that I havethe Automatically generated rules from the system when installed. I don't create new rules myself only 2 rules for web proxy not for wireguard server .
Finally I want your help, to setup firewall rules for wireguard.
The IPv4 "*" rule - what are the details? Click on the edit button to the right and post a screen shot. I want to see if there is an explicit gateway set.
Also the output of netstat -rn when the tunnel is up (again, possibly, this thread is getting long).
Gateway for this rule is missing (penultimate column).
In addition you have to make sure, that traffic will not bypass VPN via v6.
If the tunnel is configured for v6 use, you also need to set a gateway for default allow v6, otherwise you need to block v6.
Quote from: Patrick M. Hausen on November 23, 2023, 09:48:15 AM
The IPv4 "*" rule - what are the details? Click on the edit button to the right and post a screen shot. I want to see if there is an explicit gateway set.
Also the output of netstat -rn when the tunnel is up (again, possibly, this thread is getting long).
I have all information that you want
Quote from: tiermutter on November 23, 2023, 09:56:45 AM
Gateway for this rule is missing (penultimate column).
In addition you have to make sure, that traffic will not bypass VPN via v6.
If the tunnel is configured for v6 use, you also need to set a gateway for default allow v6, otherwise you need to block v6.
No , I thing not setup for ipv6 , please look at the netstat result.
Quote from: frozen on November 23, 2023, 06:50:17 AM
I have AnyDesk installed and am prepared to grant anybody access to it who thinks they can assist with this - and I'd post detailed information on how to resolve this, once it's resolved - as you can see many of the top posts in this forum are regarding this topic.
I have nothing to lose, nor risk, on this machine and can easily restore from backup when the experimentation is done
I have:
Established tunnels and gateways as per instructions
Established and port forwarded wireguard so its ready to receive clients
I am ready for any assistance, thank you
Yes I would like to see it.
Quote from: tiermutter on November 23, 2023, 09:56:45 AM
Gateway for this rule is missing (penultimate column).
Maybe I am on the wrong track, bit with no explicit gateway set and the tunnel estanlished - shouldn't OPNsense just follow the routing table?
What's puzzling me is the "destination host unreachable" for a "ping 8.8.8.8" from an internal client. Any better ideas than I had so far?
I only skimmed the whole lots of text and screenshots to not get confused...
Is there an outbound NAT rule for this VPN? In Post #7 it is inactive. This will result in not reaching anything via VPN network by clients.
Without gateway set, OPNsense follows routing table, yes... but I am unsure how to read it:
default 0.0.0.0/0 goes via WAN, but does 0.0.0.0/1 and 128.0.0.0/1 really override default route for LAN clients?
If it does, no explicit gateway in rule is necessary.
mhh... it's confusing... what is running in VPS? Is this another OPNsense? Some screenshots looks like OPNsense in VPS with WG server and some looks like OPNsense at home?!
Quote from: tiermutter on November 23, 2023, 11:34:42 AM
I only skimmed the whole lots of text and screenshots to not get confused...
Is there an outbound NAT rule for this VPN? In Post #7 it is inactive. This will result in not reaching anything via VPN network by clients.
Without gateway set, OPNsense follows routing table, yes... but I am unsure how to read it:
default 0.0.0.0/0 goes via WAN, but does 0.0.0.0/1 and 128.0.0.0/1 really override default route for LAN clients?
If it does, no explicit gateway in rule is necessary.
I am not so advance user to understand some things....I set wireguard gateway. I already post it. Do you want to post again? I post up now port forward nat...
If you have time you can check my firewll via anydesk...
Thank you
Quote from: tiermutter on November 23, 2023, 11:54:40 AM
mhh... it's confusing... what is running in VPS? Is this another OPNsense? Some screenshots looks like OPNsense in VPS with WG server and some looks like OPNsense at home?!
I said above the other user, that wireguard vpn is installed on the vps and wireguard client I run on my home opnsense firewall.
This setup I tested on the raspberry pi. It works successfiully. Wireward client was on the raspberry now I want to setup on firewall opnsense not raspberry.
Wireguard server on the VPS both cases are the same. I never change anything the setup form wireguard server.
We stopped using OPNSense for the same reasons for VPN.
Back to RRAS in windows and it works perfectly. Connects and keeps the connection no problems.
Anything terminating at the perimeter is way to sensitive when keeping thousands of VPN's running at any one time.
Sorry, not possible for me to go remote...
As said, maybe I am confused and should shut up :D
Now you are posting screenshots of NAT port forward. There is nothing in your setup as far as I can see that requires a port forward... on VPS site access to WG server can be solved this way, but a simple allow rule on WAN should be enough.
What I mentioned was NAT outbound rules, this is required on your LAN site.
Can you please explain your whole setup?
Quote from: tiermutter on November 23, 2023, 12:27:22 PM
Sorry, not possible for me to go remote...
As said, maybe I am confused and should shut up :D
Now you are posting screenshots of NAT port forward. There is nothing in your setup as far as I can see that requires a port forward... on VPS site access to WG server can be solved this way, but a simple allow rule on WAN should be enough.
What I mentioned was NAT outbound rules, this is required on your LAN site.
Can you please explain your whole setup?
Please, read the first my post. I wrote many times here....
I want all traffic from ISP to send it through tunnel with wireguard to vps. then Take the publick ip from vps with wireguard vpn then back to my home . It is very simple. It is the same setup if pay a vpn provider like mulvard or any other vpn provider.
On firewall-->rules-->wan I have already post allow port 51820 from wan . Please see the pictures..otherwise I can post again for you...
I hope to understand me.....
Below on youtube link I want to do the same WITHOUt MULVARD. I wan to do the same project with below video on the vps that I already setup myself the vpn. I say again the same setup RUNS SUCCESSFULLY WITH RASPBERY PI. The problem is (I think) the opnsesne
https://www.youtube.com/watch?v=9B4FW5pf2wA
Quote from: tiermutter on November 23, 2023, 11:54:40 AM
mhh... it's confusing... what is running in VPS? Is this another OPNsense? Some screenshots looks like OPNsense in VPS with WG server and some looks like OPNsense at home?!
Quote from: Supermule on November 23, 2023, 12:26:42 PM
We stopped using OPNSense for the same reasons for VPN.
Back to RRAS in windows and it works perfectly. Connects and keeps the connection no problems.
Anything terminating at the perimeter is way to sensitive when keeping thousands of VPN's running at any one time.
Do you mean that OPNsense has bug? Does OPNsense has bugs generally?
We know what you want to achieve... but we (me) don't really know which systems are involved and where the loads of screenshots are taken from...
As said... we (me) are confused...
Quote from: tiermutter on November 23, 2023, 12:45:43 PM
We know what you want to achieve... but we (me) don't really know which systems are involved and where the loads of screenshots are taken from...
As said... we (me) are confused...
I will help you.
On the vps runs ONLY DEBIAN 12 with wireguard server. ONLY THAT . Nothing else. There are iptables rule that masquerade all traffic to wireguard client. THis is the vps setup.
OPNsense is the wireguard client that's try to connect to the vps (wireguard server) Are you confusing or you are understanding.
I hope to help you now.
Helped a lot so far, thank you ;)
Now lets summarize step by step...
So debian / VPS setup is untouched and worked (and also will still work) with raspi as client?
Client WG setup is double checked, correct and handshakes are succesful?
Quote from: tiermutter on November 23, 2023, 01:04:09 PM
Helped a lot so far, thank you ;)
Now lets summarize step by step...
So debian / VPS setup is untouched and worked (and also will still work) with raspi as client?
Client WG setup is double checked, correct and handshakes are succesful?
Yes to all. Now I stopped to run WG client to raspberry.
Ok... but the raspberry client has it's own WG configuration, e.g. seperate IP and you did not try multiple connections with one and the same WG peer?
Quote from: tiermutter on November 23, 2023, 01:59:23 PM
Ok... but the raspberry client has it's own WG configuration, e.g. seperate IP and you did not try multiple connections with one and the same WG peer?
I never use Raspberry again. Too much devices. I want only one client. This is opnsense nothing else. Raspberry has the same IP with OPNsesne. But I don't use it. It is shudown. Is better to create seperate wg client configuration file specific for opnsesne?
You can use the same config, but not at the same time.
When you told us you NOW stopped raspberry client, this means that you tried to establish multiple connections with one peer (and tunnel IP) with two devices. This won't work.
Now we can start testing from scratch since now WG client on OPNsense can work the first time.
Start and stop / restart your WG client on OPNsense and try a ping to 8.8.8.8 from OPNsense shell.
As I said, I assume that the VPS is untouched and everything works fine on this side!
Quote from: tiermutter on November 23, 2023, 02:24:01 PM
Start and stop / restart your WG client on OPNsense and try a ping to 8.8.8.8 from OPNsense shell.
I cannot ping It stucks
Ok, can you provide logs or something to prove that the WG connection is properly established?
Can you ping the WG server IP from OPNsense?
Quote from: tiermutter on November 23, 2023, 02:45:50 PM
Ok, can you provide logs or something to prove that the WG connection is properly established?
Can you ping the WG server IP from OPNsense?
inside vps I cannot ping 10.217.30.2 <----it is wireguard client IP to OPNsesne
I thing does not change the gateway when enable the vpn. please look at the screenshot.
I am able to ping wg server from opnsense I did ping 10.217.30.1
It is still not proved that the connection is succesfully established.
I do not use OPNsense as WG client, hence I don't know where to prove it... VPN/Diagnostics?
On WG server side (debian) there should be logs. As said, first we need to prove that WG itself is working.
Quote from: tiermutter on November 23, 2023, 02:58:32 PM
It is still not proved that the connection is succesfully established.
I do not use OPNsense as WG client, hence I don't know where to prove it... VPN/Diagnostics?
On WG server side (debian) there should be logs. As said, first we need to prove that WG itself is working.
On vps there is handshake ....on opnsesne diagnostic there is not handshake
Ok.
You did not ping from Sense to VPS. Try both again and make sure that FW on each side allows pinging (ICMP).
Quote from: tiermutter on November 23, 2023, 03:13:14 PM
Ok.
You did not ping from Sense to VPS. Try both again and make sure that FW on each side allows pinging (ICMP).
Debian Is completely open and allow ping. from OPNsense I think it is allow ping. I am NOT sure
I will post 2 screenshots . One screensho from debian wg server and second picture from shell's opnsense.
both pings show resulst only for 8.8.8.8
Quote from: novel on November 23, 2023, 02:32:00 PM
I cannot ping It stucks
Now ping works without any changes?
And traceroute from Sense to 8.8.8.8?
Quote from: tiermutter on November 23, 2023, 03:45:34 PM
Quote from: novel on November 23, 2023, 02:32:00 PM
I cannot ping It stucks
Now ping works without any changes?
And traceroute from Sense to 8.8.8.8?
Yes, I can ping both sides but but I cannot as I said f the ip adress of wg server and client.
So traceroute 8.8.8.8 works only on wg server. On opnsense the resuls are very slowly but works very very slow
DONT FORGET THAT I CANNOT PING
I am wonder here in this forum. There are so many user, but only two they tryied to help me. So far we didn't solved the problem with two guys. I hope to answer again.
So, am I a unique person that wants to setup wireguard server and client on OPNsense?
All users has successfully setup wg client with external vpn endpoint or they don't care about my question.
Please, if someone knows and wants to help me I am able to connect to my system wtih anydesk to check my firewall.
Please I ask help from anyone. I would like to solve this problem.
Thank you
Issue #1 is that no one will enter this thread with 66 posts because it is hard to find through.
Issue #2 is that this thread is very confusing. I was confused shortly after I entered and somewhere Patrick mentioned that it is getting more and more complex. In other words: Obviously there is no clear statement from you about what exactly should be achieved... and now Sense is WG client and server?
Issue #3 is that your answers often contains more or other information than needed. On a question about a traceroute you said "It's slow", without giving the needed information...
This is why this thread is not a pleasure, neither for us nor for you.
Maybe we should start from scratch in this thread and then step by step in your OPNsense config, also started from scratch...
Quote from: tiermutter on November 24, 2023, 11:26:47 PM
Issue #1 is that no one will enter this thread with 66 posts because it is hard to find through.
Issue #2 is that this thread is very confusing. I was confused shortly after I entered and somewhere Patrick mentioned that it is getting more and more complex. In other words: Obviously there is no clear statement from you about what exactly should be achieved... and now Sense is WG client and server?
Issue #3 is that your answers often contains more or other information than needed. On a question about a traceroute you said "It's slow", without giving the needed information...
This is why this thread is not a pleasure, neither for us nor for you.
Maybe we should start from scratch in this thread and then step by step in your OPNsense config, also started from scratch...
I have no problem to start a new one question. Do you want to start new question with the same title then all pictures screenshots from setup. Is that enough?
You should describe in details what you want to achieve and reset your config regarding routes, WG config + gateway,.... And then we can start from scratch.
Would be the simplest way I think...
Quote from: tiermutter on November 25, 2023, 09:33:50 AM
You should describe in details what you want to achieve and reset your config regarding routes, WG config + gateway,.... And then we can start from scratch.
Would be the simplest way I think...
Could you check my first post? Is it enough? I have to reset wg config then start together a new one?
As said via PN, let's start from scratch.
You only want all traffic (from LAN) going through your VPN.
VPN is wireguard connected to your own server (debian) in a VPS.
You removed all your WG and related configs from Sense having only LAN and WAN working, correct?
Please also remove you FW rules amd NAT regarding WG.
Please let us also know if IPv6 is configured and ready to use for WAN and LAN if you intend to use v6. Do you? If yes, we will care later about that.
Info for posterity: OP started a new thread, beginning from scratch here:
https://forum.opnsense.org/index.php?topic=37211.0
Quote from: netnut on November 17, 2023, 09:02:41 PM
Where can we find your lean-and-mean, just enough, easy configuration How-To, really like to read it.
More than just awful documentation--it's that this is the de facto response to anyone willing to speak up about it.
It's FOSS; we get it. Unless we pony up the cost of support fees (should the option exist as it does here), one should make reasonable expectations for forum response times, access to experts, etc.
With that aside, in what world does it make sense to ask users with problems they can't solve to revise product documentation? Beyond the simple fact they're exceedingly unlikely to develop the software itself, surely those aren't the manner of technical experts you want authoring howto's for the masses? ::)
I'm appreciative of the project and the active forums but FFS the frequency of condescending rhetoric leaves a stain I can't be the first one to note.
Quote from: netnut on November 17, 2023, 09:02:41 PM
Where can we find your lean-and-mean, just enough, easy configuration How-To, really like to read it.
Hey, that's my quote...
Could you please quote the full context / post I did respond to? Condescending rhetoric is the last I was thinking of reading the original message:
Quote from: frozen on November 17, 2023, 05:21:42 PM
There's very little support or documentation for any of us messing with External VPN's. I've been posting here looking for help for days now and rarely does anybody contribute
OPNsense software is way overcomplicating things, as you've seen by simply trying to follow that selective routing guide, it should've been possible in less than half the steps. And once the guide is done and followed to the tee, they leave you completely dry with how to make use of it afterwards!
Quote from: netnut on December 09, 2023, 01:15:46 AM
Hey, that's my quote...
Could you please quote the full context / post I did respond to? Condescending rhetoric is the last I was thinking of reading the original message:
OP pasted a link to opnsense docs, says it could be half as long and twice as useful, you essentially reply "ok where's your whiz-bang how-to if theirs sucks?"
this is, speaking from personal experience (https://forum.opnsense.org/index.php?topic=7379.msg62917#msg62917) and numerous observations in the 4 years since, the typical forum response to anyone critical of opnsense documentation.
if its not what you intended, well, i apologize on behalf of those whom afforded that presumption.
I wonder why the OP has been editing every post with pictures on the 13/12/2023.