OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: iwex on November 12, 2019, 07:12:13 pm
-
Hi guys. I want to use wireguard gateway to redirect traffic using firewall rules and aliases. How should I create a new Gateway for wireguard? Maybe I forgot to add something to firewall?
Here is my settings:
Server: [Interface]
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey =XXX
AllowedIPs = 10.8.0.2/32
-
Why do you use iptables rules? Is OPN the server or the client?
-
I have wireguard server on VPS, found these iptables rules in some guides. If I connect to this server from my own PC - ping to 10.8.0.1 is working, and all my traffic go through wireguard.
-
You only need an assigned gateway if OPNsense is configured as client.
Just follow this guide:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
-
I saw that guide but, but it doesn't help. That guide is a bit old because gateway IP "dynamic" is not working
-
Again, you don't need a gateway, just dont go through this step
-
I need a gateway to specify it in Firewall Rules https://i.imgur.com/0jOzNit.png
-
I don't get it, when OPN is your server, why to you need routing rules? This doesn't make sense ..
-
No, OPNsense is client. I have a server on some VPS
-
Then you need to set "Disable Routes" in local instance, hit advanced and put in the gateway field the IP address of your VPS service. Then you can assign a gateway and add policy routes
-
Wow, thank you! I didn't see Advances button :-[
-
I had to hide it because the chances are high everyone puts in some value there without reason ;)
-
@mimugmail im having the same issue with wireguard and cant get it solved. I hope you have some time and can take a look at my config.
Im trying to route a single host of my lan (192.168.1.170) over a wireguard vpn.
I've setup the wireguard connection, opnsense as client, added outbound nat and a gateway redirect for local client, created firewall pass rules.
Everything seems fine as i can ping the wireguard gateway from my local lan client. So nat and gateway redirect are working.
But any other request to public wan does not route over the gateway. Only when i set allowed ip's to 0.0.0.0/0, but then everything is routed over the gateway not just the single host.
WG Gateway: 10.127.127.1/24
OpnSense WG Client: 10.127.127.2/24
Local Client: 192.168.1.170/24 ( should route over WG Gateway )
Ping from 192.168.1.170 -> 10.127.127.1 works (nat translation from 192.168.1.170 to 10.127.127.2)
ping from 192.168.1.170 -> 1.1.1.1 public wan is stuck, wireguard gateway does not receive any package
Its seems like im missing something with the wireguard configuration.
Every interface has a pass any rule for testing.
Please advise.
https://i.imgur.com/V26UTDK.png
-
You have to disable adding routes, assign interface, add gateway, do pbr for single client. Just search the forum, plenty of questions asked and asnwered
-
Thats exactly what i did, can be seen in the screenshots.
I will try to continue searching other threads..
-
If you tick "Disable Routes" why should all traffic go through wireguard?
-
I have no idea, but when i set allowed ip's to 0.0.0.0/0 on endpoint and restarted the wireguard service, all interfaces went down, nothing was able to ping. So it interfered with everything. I had to revert the allowed ip setting and do a state reset. Nothing else was changed.
I read some other threads and they set allowed ip's to 0.0.0.0/0, so im sure this is the problem im facing with wireguard. The reason no traffic is routed trough the vpn from my local client. Is my assumption right ? I could not find any other clue. I mean i can ping the gateway from my local client, nat and pbr are working fine, its just that other traffic is never received at the gateway, so opnsense seems to not route it.
I will try this again tommorow when i have some time to actually debug the outtake. I had to revert the change immediately without taking a look.
-
Really strange, i tried again this morning, was prepared for another outtake. But it worked this time, my client is routed over the gateway now, everything works...
The only thing changed is allowed ip's to 0.0.0.0/0 like before.