Hi,
after several tries and reading of other forums I am here to seek help.
I have a working wireguard vpn connection and I would like to send through it anything coming out from the firewall, how should I proceed?
Following the official guide, I created what is needed to tunnel all the subnets but It remains everything that is managed diretly by the firewall, like the unbound dns request to the authoritative DNS server.
I tried to change "Outgoing Network Interfaces" to only the VPN gateway, but it doesn't seem working.
Thanks
I assume you're using some VPN service, and want everything (all internet access) to go through it?
What "official guide" did you follow?
Hi, I used the official guide on opnsense webguide.
https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
In step 3, checking "Disable Routes" would prevent adding routes offered by the VPN provider to OPNsense's routing table, which is not what you want. I've not tried this setup myself, but if you're feeling brave, try uncheckig that and see how it goes.
Thank you I will try, but should I also add specific rules on the wan interface and a nat rule?
I don't think you'd need any additional rules. Traffic from the firewall itself wouldn't need to be NAT'ed.
There may be other consequences of not disabling addition of routes - beware ;)
Previously i tried to create a rule on wan interface, out connections to be redirected to vpn gateway but wasn't working.
As you suggested, how the system define to route outgoing connection from wan towards the von gateway?
You can't use a firewall rule to specify a gateway for traffic originating from the firewall itself. The firewall itself uses its routing table. When the VPN connection is established, it should add entries to the routing table, based on what routes the VPN server advertises, unless you tell it not to by checking that "Disable Routes" option... which is why I'm suggesting unchecking it.....
Hi @dseven, I disabled that flag, but still the traffic from the firewall is going through the WAN and standard ISP connection.
I assume you reconnected the VPN after changing that. It may be that your VPN provider doesn't advertise a default route, although that'd be a bit surprising....
The vpn gateway was marked as default, but nothing to do. I also restarted the firewall.
My configuration is basically the following:
3 VPNs with proton
1 Gateway group with the 3 vpn and the wan as last;
the routing (NAT+firewall rules) are according to the opnsense guide, but the destination is the gateway group in order to have something similar to a multi-wan system with automatic switch between the VPNs and the WAN (in case the gateway is offline, the next one is used).
This configuration work perfectly with the sub-lans, but it doesn't with what exit from the WAN.
Was someone able to route something going out from WAN interface to the VPN gateways?
Thanks
Someone could kindly explain to me what steps should I implement to do this:
Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts
Configure public DNS servers for your whole local network, rather than local DNS servers
taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)
thanks
Quote from: FredFresh on October 26, 2024, 04:34:25 PM
Someone could kindly explain to me what steps should I implement to do this:
Assuming you have configured DHCP static mappings in OPNsense for the hosts using the tunnel, specify in that configuration either the DNS servers supplied by your VPN provider (see note below), or public DNS servers. This will override the network-wide DNS settings for those hosts
Configure public DNS servers for your whole local network, rather than local DNS servers
taken from https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (steps 3 and 4 to avoid dns leak)
thanks
Just go to Services -> ISC DHCPv4 -> LAN and either select a single host or the entire LAN and type your preferred DNS servers IP addresses in the option
DNS servers
I do not understand how this could resolve the routing issue through the vpn.
That settings only specify the external dns ip...isn't it?
Quote from: FredFresh on October 29, 2024, 11:08:33 AM
That settings only specify the external dns ip...isn't it?
I believe so
Today I will try again to set an outgoing rule from wan to redirect the dns queries towards the vpn gateway.
It seems that the query is properly redirected but i do not understand what is missing...should I create a NAT rule as done for the internal lan towards the VPN gateway?
@dseven thank you!
I had to change something but finally I was able to route everything (in this case only the unbound dns was missing) through the VPN gateways.
To do so I had to set the VPN gateway as default gateway but the involved flag are two:
- system-configuration-VPN gateway- flag on "Upstream Gateway" (and set a priority number lower than WAN gateway)
- system-settings-general- flag on "Gateway switching"
This way the VPN gateways become eligible as default gateway and everything is routed through that.
From previous ocnfiguration:
- kept the NAT rules for the VPN Gateways;
- removed the gateway group used to manage the multi-wan (now directly managed in the main gateway page);
- updated the internal subnets firewall PASS rules to the default gateway.
Please, if you think of any error /suggestion, let me know.