OPNsense Forum

Hello!

For some reason I have to use a standalone Wireguard server located on a dedicated host in my LAN.
All the Wireguard peers should have access to all the LAN hosts and vice-versa.

I was able to set everything up in a NAT (Masquarade) mode, but I want all the peers to be "visible" and manageable by their Wireguard IPs inside the OPNsense. Thus I am trying to set up the Wireguard server without a NAT (Masquerading).

Unfortunately I can't figure out how to set up firewall and routing properly.

My network setup:

• LAN: 172.17.17.0/24
• DNS server: 172.17.17.2
• Wireguard server: 172.17.17.8
• Wireguard network: 172.17.21.0/24. The network itself is defined in the Wireguard config and does not exist as a VLAN or any other type of network in the OPNSense. This should be fine because Wireguard is a Level 3 protocol.

Steps I took:

• Installed and configured a Wireguard server on 172.17.17.8; enabled both net.ipv4.ip_forward=1 and net.ipv4.conf.all.proxy_arp=1 options. Masquerading is turned off (or rather it is not turned on).
• Configured a peer for the Wireguard server.
• Created a Port Forward rule to forward incoming connections from WAN port to the Wireguard server port.
• Created a Pass rule for the WAN interface to allow connections to the Wireguard port.
• Created two firewall rules for the LAN to allow traffic in the Wireguard network. For more details - see attached screenshot. I believe the last rule is not required. If so I will delete it later.

The results are: I can connect to the Wireguard server, but I cannot access any host in the LAN or Internet.
If I try to ping on make nslookup any host using 172.17.17.2 I get messages that these requests are blocked (see screenshot #2) by the Default deny rule which I don't understand because I have defined the Pass rules to allow this kind of traffic.

I appreciate any help how to make this setup working. I believe some firewall rules and/or routes are missing, but I can't figure what exactly is wrong.

I think you have an asymmetric routing situation. Your log screenshot appears to be showing DNS *responses* from 172.17.17.2 (port 53) back to 172.17.21.2, which are trying to go via the firewall (because presumably that's the detault route / gateway on the DNS server), but the requests from the client (172.17.21.2) to the DNS server would not have passed through the firewall, because your wireguard server has a local address on 172.17.17.0/24. The firewall can't track this, because it's only seeing half of the conversation.

You might be able to hack around this with static routes, but it'd probably be better if you could place the wireshark server on a dedicated subnet, separate from LAN, so both directions will always pass through the firewall.

Thank you very much for the suggestion!

I think I can do it. OPNSense is installed onto a VM so I can create another interface, assign a new network to it and move the Wireguard server into the new network.
A few questions about this setup:

• Should I enable DHCP on the new network?
• What firewall rules should I define?
• What will happen in case of IP address conflict? I.e. the Wireguard server will create a Peer with an IP which already exist in the new network?

I would expect that wireguard would be managing address assignment, so no need for DHCP, and there wouldn't be any non-wireguard hosts on that network, so nothing to conflict with...?

Just use the built in wireguard server of the OPNsense, it will cut down all complexity and fix all routing issues.

Except for the Wireguard server itself and the OPNSense, yes: there won't be any other non-Wireguard hosts in this network.
So technically there might be 1 interference: with the OPNsense. Because Wireguard doesn't know anything about it.

Regarding using a build in Wireguard server. I'd like to, but I can't: there is some specific software (like DPI or something) which should be running next to the Wireguard server.
Just to clarify: for now it is not installed and cannot interfere with the current setup.

Hmm. But before creating a new network: what about a hack with routes? What routes should I add to test if it works?

You'd probably need a static route on the firewall for 172.17.21.0/24 pointing to the wireguard server (172.17.17.8). That won't fix access to the DNS server, though, unless maybe you create a firewall rule on your LAN interface to allow destination 172.17.21.0/24 with "State Type" (under "Advanced features") set to "sloppy state". I'm not sure if that'll work, but it might. You might also need a sloppy rule for the other direction. Alternatively you could also add a static route on the DNS server, but then you'd have to do that on any LAN how that you need to be accessible from wireguard clients.

I got a little (partial) successes with the hack.

1. I have created a new Gateway in System -> Gateways -> Configuration pointing to 172.17.17.8 (Wireguard server)
2. I have created a new route in System -> Routes -> Configuration: to 172.17.21.0/24 via freshly created gateway.
3. In Firewall -> Settings -> Advanced I have enabled this option:
Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

After that I now have access to all the LAN hosts from the Wireguard! Yay!

Unfortunately I don't have Internet access from the Wireguard. I have created an outbound NAT for 172.17.21.0/24, but it didn't help...

Hmm.

• I have added a new virtual network interface and created a new dedicated network: 172.17.18.0/24 with static IPs.
• Created a Firewall rule to accept all from the new network in the Firewall -> Rules -> WG_IN_1 (new network name) section.
• Moved the VPN server there: 172.17.18.2
• Adjusted the Wireguard server IP to 172.17.18.254 and its Peer IP to 172.17.18.202 (inside wg0.conf)
• Changed Port Forwarding from WAN to 172.17.18.254
• Disabled previously created route and gateway

Unfortunately, it didn't work: I cannot access any hosts at all.
The same situation happens if I create a new gateway pointing to 172.17.18.254 and a route: to 172.17.18.0/24 via freshly created gateway.

The firewall is all green though: it shows connections, but no traffic flows...

I got both the Internet and LAN working, but I have no idea why is this working.
I was experimenting with NAT rules and accidentally mistyped IP: 127.17.21.0/21 instead of 172.17.21.0/24 and... it worked.
If I disable the rule - I loose the Internet connection for the Wireguard clients. If I enable it, the connection is back.

I don't know why: this rule doesn't make sense to me. Can anybody explain it?

I assume you mean 172.17, not 127.17...

172.17.21.0/21 would actually be 172.17.16.0/21, which encompasses 172.17.18.0/24. Is your wireguard server masquerading?

Edit: Scratch that - I just looked at the screenshot.

Looks like you have the source address inverted - why?

At first yes, I saw the typo: 127 instead of 172. Fixed it and the Internet gone... So I put it back - exactly as you can see on the screenshot and the Internet came back again.
That is why I am confused. It shouldn't work. It even makes no sense, but it works! And I don't know why.

No, my Wireguard server is not masquerading - that's the whole point of the setup.

See my edited post above (you read the original one too quickly:)

I was just experimenting with the rules: like just try everything one by one.
I cannot explain the logic behind this rule and it really confuses me.

So if you use the correct address for your WG network, and don't invert, does that work?

Nevermind. I have rebooted the OPNsense and everything went back to normal. I.e. the rule which makes sense now is working and I got the Internet and all access.

I really don't know what happened - cache maybe?

The configuration that works for me (maybe it will be useful for somebody):

• Set up the Wireguard server on a host inside the LAN with no masquerading. Enable net.ipv4.ip_forward=1 and net.ipv4.conf.all.proxy_arp=1 options. Make its IP static and remember it.
• Configure peers
• Create a Port Forward rule to forward incoming connections from WAN port to the Wireguard server port.
• Create a Pass rule for the WAN interface to allow connections to the Wireguard port.
• Create a Pass rule in the LAN firewall section to allow connections from the Wireguard network (i.e. source = Wireguard network)
• Go to Firewall -> Settings -> Advanced and enable "Static route filtering" setting
• Go to System -> Gateways -> Configuration and add a new gateway in the LAN interface with the priority less than WAN gateway and address pointing to the Wireguard server
• Go to System -> Routes and create a new route to Wireguard network address via freshly created Gateway
• Go to Firewall -> NAT -> Outbound. Set "Hybrid outbound NAT rule generation" mode and add a new rule: Interface = WAN; Source = Wireguard network
• Optional: I have also created a firewall alias for the Wireguard network - it looks better in my opinion...

@dseven, thank you very much for your help and advice!!!