I configured WireGuard in the past and it worked properly, but at some point, maybe I misconfigured something, and now, the peers can't access to the internet.
When I connect to the VPN, I can see the handshake in VPN>WireGuard>Diagnostics also the peers can ping and access to internal IP, but it can't reach anything outside my LAN.
Other think to mention is that I have an Unbound DNS Override (a custom domain redirection) configured working with nginx, and it isn't working through the VPN.
I've tried to read logs, but I can't find anything strange.
I'm quite new to OpnSense and this forum and maybe someone can help.
Thank you.
What does your network look like? What FW rules do you have configured? What do you mean by Unbound DNS Override working with nginx?
Quote from: CJ on January 04, 2024, 02:45:39 PM
What does your network look like? What FW rules do you have configured? What do you mean by Unbound DNS Override working with nginx?
My home network consists in 3 interfaces, WAN, LAN1 (192.168.1.XXX) and LAN2 (192.168.2.XXX).
I have a firewall rule in LAN1 and LAN2 that allows traffic between LAN1 and 2 and since in WireGuard it's configured that peers had an IP like 192.168.10.XXX there is a similar firewall rule but changing the source.
I attach some pictures below:
LAN1
(https://i.ibb.co/ph99rwT/imagen.png)
LAN2
(https://i.ibb.co/4tSLNwM/imagen.png)
WireGuard
(https://i.ibb.co/Jpy6qhd/imagen.png)
Port Forward
(https://i.ibb.co/02CHtpS/imagen.png)
By Unbound DNS Override working with nginx, I mean that I run applications like docker portainer on 192.168.1.10:8080, but I've configured a custom domain home.com that redirects all traffic that has home.com to my nginx and the nginx redirect docker.home.com to the docker host.
(https://i.ibb.co/ZzC1hGS/imagen.png)
To sum up the problem:
From LAN1/2 IP I can reach the WireGuard peer with IP 192.168.10.XXX.
From WireGuard peer with IP 192.168.10.XXX I can reach LAN1 and LAN2.
From WireGuard peer I can't reach any home.com domain (but I can reach the IP hosts because they are in LAN1 or 2).
From WireGuard peer I can't reach google.com
did you create the wireguard interface ... its needed to create the "Automatic outbound NAT rule"
Quote from: vik on January 04, 2024, 09:52:25 PM
did you create the wireguard interface ... its needed to create the "Automatic outbound NAT rule"
Thank you, it partially solved my problems. I've followed this guide https://docs.opnsense.org/manual/how-tos/wireguard-client.html and now, I can access to the internet but the Unbound DNS Overrides are not working.
Any ideas?
Finally solved Unbound DNS Overrides, on the client side I put the DNS pointing to 192.168.1.1
Hello.
After so much time I found that the main guide "WireGuard Road Warrior Setup" was not obvious for me in the part when I got working VPN connection with handshake and access to my lan network but I could not get ping to external address.
Short intro: there are two different tunnels:
- full-tunnel (which I get with lan and without internet)
- split-tunnel
To get internet work I changed client config file in part:
[Peer]
AllowedIPs = 192.168.250.0/0
So I put network mask of my internal lan (behind NAT) to send all requests of the client to 192.168.250.0/0 network through wireguard tunnel.
Hope I wrote it clear and sorry for mistakes, but I just wanted to save some (much) time for those who would like to enjoy wireguard.
Sorry for inconvenience in advance in case if it is clear for all others, but I did not find working help in this particular case.
And if your are able to explain it in better manner please feel free to correct me or write it better fresh new.
/0 effectively means 0.0.0.0/0 which means you merely set a default route for your traffic
Cheers,
Franco