Hi,
I have just installed the new version of OPNsense 24.7_9 and established I-Net connection and even set up Nord VPN as per Nord instruction on their site. All outgoing connections over VPN are fine.
Now, I want t access the FW from the WEeb. As a newbie I'm not even able to find the WAN IP from the provider to check if it works. I also have domain name from my I-Net provider myname.domain.xy (xy=cuntry code) The access does not work. I wanted to try via IP but don't know where to find it.
I need to know how to set the rule to access the Web IF. (see screenshot)
And how to set up Dynamic DNS. Especially what host name and what protocol, as service I chose custom.
On my Vilfo router I just had to put the domain name, no user name or password was necessary.
I did both but probably wrong.
Thanks!
Do not do this.
So doing this if you don't know what you're doing is asking for trouble.
I have access to it via WireGuard and keep my dynamic IP updated with no-ip via os-ddclient (Custom Service: DynDNS 2).
There is currently a bug in OPNSense 24.7 that does not show the PPPOE public WAN IP address properly but Google can help with finding that (and the bug does not affect DDNS which still detects the proper public WAN IP).
Also, I have TOTP setup for login to the web interface.
If you setup WireGuard properly there are no additional firewall rules needed to allow web interface access (besides the single WireGuard port).
And for the love of God please delete the rule you've applied to the firewall to allow port 80 access from the WAN (if you don't know why this is an issue please consider another product - perhaps FireWalla)!
Thank you guys!
The rule is disabled.
Well, I don't care how I can access the FW from outside, the more secure the better, of course. Will look to the Wireguard tutorials. But I can imagine I need the IP address, which I dot see now, because all traffic goes trough Nord VPN.
I have installed os-ddclient, but not sure if it is set up properly, since I couldn't access the FW via WAN IF. But it is needed for Wireguard, I guess.
Please help me with it, because I will need to leave the location in a couple of days and it should work until then, otherwise I have to return (again) to Vilfo, which is still there as backup.
Thanks again!!!
Because you have now setup your router with your new provider, your public IP address from your ISP will be on the wan interface now. Interfaces > Overview will show it.
The VPN tunnel will not change that.
To manage your firewall from another network regardless of the VPN tunnel whether is up or not, you would create a separate VPN tunnel with the public ip ie WAN from your isp being the endpoint or peer in wg parlance.
This is where a dynamic dns setup comes into play. You get one and can be a free one and use the dynamic dns client on OPN so that the dns entry gets updated if/when your public ip (again from your ISP) changes. Then your VPN client on your device external to OPN gets setup with that dns as the endpoint.
Thanks a lot @cookiemonster!
Now I know how to see my external IP - check on that. (a lot of stuff to learn :o)
I have a domain name from my I-Net provider. Can I use that one? If yes, how?
if not how to set up OPN dyndns.
In the online manual are different scenarios for Wireguard.
In a next step, I will do site-to-site, because I will install OPN on the FW in the location A too, end of next week. But before, I just need to have access somehow to this FW in location B, from the internet.
Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?
> I have a domain name from my I-Net provider. Can I use that one? If yes, how? if not how to set up OPN dyndns.
https://docs.opnsense.org/manual/dynamic_dns.html
> Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?
https://docs.opnsense.org/manual/vpnet.html
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Quote from: cookiemonster on August 02, 2024, 12:22:39 PM
> I have a domain name from my I-Net provider. Can I use that one? If yes, how? if not how to set up OPN dyndns.
https://docs.opnsense.org/manual/dynamic_dns.html
Hi, I've been trough this. I can see that the ddclient as green in the dashboard. Still, I don't know if configured properly, sicne I don't know which protocol I should use, I chose "none", as server and host I put myname.domain.xy. No password no user. According to my provider, as soon as I activate the DDNS on their side in my account everithing is done. So maybe I don't even need a client on the FW?
However, I can not connect with a WG client from my smartphone.
Quote from: cookiemonster on August 02, 2024, 12:22:39 PM
> Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?
https://docs.opnsense.org/manual/vpnet.html
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
As I said, firs I need to connect via a WG client to the FW/network, to be sure I can access it somehow. Site-to-site will follow as soon as I'm in location A and set up OPNsense there.
So how to connect via App on Smartphone or other PC (Linux, Mac) from the internet?
With Vilfo I've used OpenVPN.
> So how to connect via App on Smartphone or other PC (Linux, Mac) from the internet?
what about the next chapter on the same manual: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Unless I'm misunderstanding your question.
If the peer you want is an app, I can't help.
Quote from: cookiemonster on August 02, 2024, 04:57:28 PM
If the peer you want is an app, I can't help.
Yes, I need a connection via an App, for the time being because I need to have a remote access in order to configure later site-to-site, from another location.
It is simply frustrating. The manual do not match at all to the GUI of the new Version! Neither for WireGuard, nor for OpenVPN. All tutorials on YT are for the older GUI. How can one release such a change without adjusting the manual??
I have tried with OpenVPN,
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
On the last step adding a SSL server, the created server certificate as per manual is not accepted because
"Certificate SSLVPN Server Certificate is not intended for server use." >:(
> Yes, I need a connection via an App, for the time being because I need to have a remote access in order to configure later site-to-site, from another location.
An app is not magically going to be magically configuring OPN on the inside. IT's just a UI, a front end that is more appealing perhaps. In other words you must configure the tunnel somehow first, app or otherwise.
Perhaps you imagine a VPN tunnel as an equivalent to an RDP or VNC connection. It isn't. Instead it can only reach the networking elements that is configured to, not to -all- by default.
Perhaps this helps: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
Quote from: cookiemonster on August 02, 2024, 06:13:21 PM
An app is not magically going to be magically configuring OPN on the inside.
Sure, this is not my expectation. What I meant by "via app" was a client-server connection not a server-server, respectively site-to-site connection. Because I don't have the other server yet. If this will work, we will see.
Quote from: cookiemonster on August 02, 2024, 06:13:21 PM
Perhaps this helps: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
I followed this steps already, like in the OPNsense manual. When scanning the QR code I get an error message. Both with the domain name and public IP address. So it is the setting that is wrong or bug or I don't know what. Maybe I made a mistake, but how to check when the manual do not match the new version of the software???
Unfortunately I can not see the whole message on the phone and it disappears after 2 seconds.
wg has no concept of client-server, both are peers. It's the setup of each peer that creates the behaviour.
Are you able to use a computer/laptop instead of a phone? That way the generated configs can be more easily observed. Otherwise with phones, I don't have much of an idea.
I use android and can see the settings on the app for it, as well as on a laptop. However i didn't use QR codes at the time I set them up, sorry.
I'm aware about the peer concept, therefore I didn't use the term CS, but "by app" to make clear, that I don't want (can't) connect two FW/Router.
I can use a PC (Linux or Mac) via phone/hotspot to access the FW from outside.
I don't know what is easier, WG or OpenVPN. Will probably do it with the Mac, since it easier to install and set up the apps.
The problem is, that I can't set up the OpenVPN server, even with following the manual.
This topic was read 400 times.
Is nobody out there who was able to connect to the new version?????
well I got all confused now.
You can access the OPN firewall from the inside, right? And now want to setup a VPN so you can connect to "it" when away, correct?
The "it" is important here. Normally the VPN is used to connect to "it" to reach the network inside it, i.e. the LAN from the WAN. Connecting to the firewall itself, like for managing it, needs additional steps.
The links I shared although a little old should have the additional steps, which normally mean "allow all ips".
WG is easier than OpenVPN by the way.
Start by setting up the ddns please.
Quote from: cookiemonster on August 04, 2024, 12:25:01 AM
well I got all confused now.
You can access the OPN firewall from the inside, right? And now want to setup a VPN so you can connect to "it" when away, correct?
Exactly! (was my post so confusing?)
Quote
The "it" is important here. Normally the VPN is used to connect to "it" to reach the network inside it, i.e. the LAN from the WAN. Connecting to the firewall itself, like for managing it, needs additional steps.
The links I shared although a little old should have the additional steps, which normally mean "allow all ips".
WG is easier than OpenVPN by the way.
I followed the (awful) tutorials and set up both OpenVPN and WG in the FW again.
OpenVPN a) with OpenVPN Connect on Android device: Error Message: "Select Certificate. This profile does not include certificate. Continue with connecting without a certificate or select one from Android keychain?"
Attached the config file that I have exported from the FW and imported to the Client on the phone. Note, I have added <ca></ca> manually, since it was not there and in the config to thje Vilfo Router, that works these are there. I didn't work without either.
b) With Tunnelblick App on Macpls see log file attached.
Wireguard from Mac with the Wireguard Appfollowed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html (https://docs.opnsense.org/manual/how-tos/wireguard-client.html)
but at Step 6, surprize!
QuoteClient configuration is largely beyond the scope of this how-to since there is such a wide array of possible targets (and corresponding configuration methods)
You don't say.
Ok, keep calm I thought, and continued with:
https://wireguard.how/client/macos/ (https://wireguard.how/client/macos/)
It starts with:
QuoteIn this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.
OK, clicked on https://wireguard.how/server/ (https://wireguard.how/server/)
But there is no guide for Mac there! Really? This is just a big b***hit.
But even going forward with the client config
sudo wg show wg0command not found: wgI wanted to install the tools (found that on the I-net) with
sudo install wireguard-toolsDidn't work.
usage: install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
[-o owner] file1 file2
install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
[-o owner] file1 ... fileN directory
install -d [-v] [-g group] [-m mode] [-o owner] directory ...Quote
Start by setting up the ddns please.
I guess, it is done. For now I'll try it with the public IP, if that works I will look to ddns again. According to my I-Net provider they are managing the binding to the IP, so nothing is required. Let's see this later.
What next?
What I don't understad with WG is Do I need a Server and a Peer on both sides FW and MAC (or other OS)?
QuoteWG is easier than OpenVPN by the way.
....
So far, I would't use the word easy for neither of them :-\
I can't help with MacOS for the moment.
Let's stick with WG.
At step 6 you use wg-tools on your MacOS. Are you able to get here? Are you able to stay on IPV4 only?
If yes, we just need to let you know which keys go where. Because of their shared names "public key", "private key", it might make it unclear which one goes where.
Quote from: tim777 on August 04, 2024, 06:18:10 AM
It starts with:
QuoteIn this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.
OK, clicked on https://wireguard.how/server/ (https://wireguard.how/server/)
But there is no guide for Mac there! Really? This is just a big b***hit.
Of course you need to have a working WG server running - on your OPNsense! - to use the app for the Mac. Nowhere does this statement imply you need a server for the Mac.
Quote from: Patrick M. Hausen on August 05, 2024, 07:08:30 AM
Of course you need to have a working WG server running - on your OPNsense! - to use the app for the Mac. Nowhere does this statement imply you need a server for the Mac.
That's what I thought too. Meanwhile nothing is sure to me, if it is not explicitly mentioned in the manual, after such experiences.
Also I have no experience with WG at all.
Thanks, I will try again,
but ....
Quote from: cookiemonster on August 04, 2024, 11:33:42 PM
I can't help with MacOS for the moment.
Let's stick with WG.
At step 6 you use wg-tools on your MacOS. Are you able to get here? Are you able to stay on IPV4 only?
If yes, we just need to let you know which keys go where. Because of their shared names "public key", "private key", it might make it unclear which one goes where.
No, I'm not able to install wg-tools, as described in the messages above. Since this is a business administrated Mac (but I'm local admin), I don't know if I can disable IP6, but afaik we are on IP4.
WireGuard for MacOS is on the App Store:
https://www.wireguard.com/install/
Quote from: Patrick M. Hausen on August 05, 2024, 08:53:09 AM
WireGuard for MacOS is on the App Store:
https://www.wireguard.com/install/
What do you thing I have been doing all the time ;)?
See first post on this page:
QuoteWireguard from Mac with the Wireguard App
followed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
but at Step 6, surprize....
I have manually configured the WG connection in the app like suggested in the manual as a common config. See attached image.
But I can not get a connection neither to the OPNsense FW nor to any device on the LAN, w
hen WG connection activated (Mac connected to the internet via mobile phone hotspot). There is a green light with the connection. Interesting that I can not connect the internet neither!
So, what I think is, that the connection is actually established, but some configs in the FW are not ok??
On OPNsense,
- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?
- do you have a firewall rule on the "WireGuard" interface group (or an assigned interface if you did that) with "allow * *"?
Quote from: Patrick M. Hausen on August 05, 2024, 11:13:13 AM
On OPNsense,
- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?
Nope, because there is nothing about in the manual. Only UDP to 1194 and 1412.
Quote
- do you have a firewall rule on the "WireGuard" interface group (or an assigned interface if you did that) with "allow * *"?
yes, I have a dedicated interface with a rule that allows all IP4 traffic. see screenshot.
Quote from: tim777 on August 05, 2024, 12:35:10 PM
Quote from: Patrick M. Hausen on August 05, 2024, 11:13:13 AM
On OPNsense,
- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?
Nope, because there is nothing about in the manual. Only UDP to 1194 and 1412.
1194 is OpenVPN. If your WG client should be able to contact the WG server, you need to permit that traffic. By default everything coming towards your OPNsense from outside on WAN is denied. So you need that rule.
Source: any/*
Destination: WAN address
Destination port: 51820
Protocol: UDP
Action: allow
HTH,
Patrick
Quote from: Patrick M. Hausen on August 05, 2024, 01:16:37 PM
Source: any/*
Destination: WAN address
Destination port: 51820
Protocol: UDP
Action: allow
HTH,
Patrick
OK, that was a mistake, instead of 51820 I have copied the (MTU) 1412 as destination port. Changed but still no access. When I connect, the app shows me that the interface is listening to 58240. I'm not sure if I noticed this befor changing the FW rule. Means, the INstanmce from the WG App is listening to 58240, right?
The main question remains, how I have configured the client ( see attached image before).
Thanks you so far!
The firewall rule destination port must match the local port of the WG instance on OPNsense. The Mac side is covered by the "any" in the source address and port.
That's correct now, but still does not work
Does the OPNsense dashboard widget show an active handshake for the peer?
If not, please post the entire OPNsense side of the configuration minus private keys.
I didn't see anything like this in the dashboard. I have added the Wireguard widget but there is a flat line, so I guess no handshake?
Did you maybe mean something else in the dashboard?
I mean what is shown if a WG connection is successfully established. See screen shot. So your Mac is not (yet) connected at all. Something seems to be wrong on the OPNsense side, still.
Please post your firewall rule on WAN that should permit the WG traffic and all WG configuration on OPNsense with erased private keys.
attached screenshots in addition to the FW rule for WAN already posted.
Please tell me if I missed something.
thanks for stepping in Patrick.
tim777 - your WAN firewall rule. Missing here. Still on your very first post on the thread but can you double check.
You showed it all wrong for WG. That is a rule for port 80 and from what seems an internal alias, but you later wrote that you had followed the different docs and tutorials, so best to confirm.
Hi Cookiemonster,
You can find the screenshot on page 2 replay #26.
There is the WAN rule UDP to 51820.
This is not an alias, I just renamed WAN to WAN_Digi (later a second I-Net provider is planned as backup). Maybe I shouldn't have done this?
I saw that one and thought it couldn't be it. Why would you use that network as a source of traffic to allow?
It should be "any". Compare with the manual https://docs.opnsense.org/manual/how-tos/wireguard-client.html, step 5. In short, please review your rules. Right now that rule is not allowing the client to reach the FW.
now wait, my mistake. I was looking at #22 I think. Saw the correct #26 after. I'll check this again. Need to be in work meetings from now.
Quote from: cookiemonster on August 06, 2024, 11:23:24 AM
Need to be in work meetings from now.
I know, I know, this thing that holds us back from important things to do ;D
I can't see anything wrong with the rules. My guess then is we need to check your public keys are the right ones in the right place. But first let's also check it your client is reaching the FW from the outside. From the flatline in the widget it suggests either not or blocked but firewall rule seems fine.
Can you go to Firewall > Log files > Live view and filter with: port contains 51820 (or whatever port you have wg interface listening on); interface contains wg (whatever name you gave to your wg interface, it will appear in the dropdown). Enable "Select any of given criteria (or) ". For hits to leave a record, you need to have enabled logging on the WAN rule for wireguard.
Then try to connect from your client. It it is hitting, we shall see it here.
Also: are you sure the OPNsense WAN address is publicly reachable and not behind CGNAT?
If your WAN address starts with anything from 100.64. to 100.127. you cannot to your OPNsense via IPv4.
Hi, the IP is reachable, I was able to connect to the Vilfo router. The provider comes even with a DDNS.
Thanks guys for your support! I need a solution until Friday evening, otherwise I have to switch back. Don't know if I will try again if it doesn't work.
I have also some other requirements, Like site-to-site VPN, different device groups that should use different VPN connections, or go through the I-net provider, etc. If this supposedly easy task does not work, what to expect for the rest? I don't know if it's this new version or a general problem. It's my second attempt to use OPNsense.
While I'm not a FW specialist I'm still quite experienced with IT.
Could Pfsense be a better solution?
I know it's almost the same, but maybe more stable.
Regards
Use tcpdump to check if packets from your Mac arrive at the WAN interface ...
I have started the tcpdump.
But first I checked with the Network Analyzer App on my phone the public IP (from outside of my network).
Ping ok
Trace route gives results
Whois also gives information about the provider etc
but
Port scan = 0 open/all blocked???? That shouldn't be, since I have some rules on the FW.
Also I noticed under Interfaces/Overview that the igc0 IF (first physical port that is connected to the WAN/ONT) with a IPv6 address is not assigned. I have a WAN IF as PPPoE where I can see the public IP.