OPNsense Forum
English Forums => Virtual private networks => Topic started by: FingerlessGloves on October 27, 2020, 07:43:32 pm
-
Hi Guys,
I've written a python script for OPNsense that allows you to use WireGuard and PIA's Next Gen servers.
The script will make sure your PIA wireguard tunnel is up and will change server if required as well.
Please see my Github page for the guide and the script.
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard (https://github.com/FingerlessGlov3s/OPNsensePIAWireguard)
Any question just ask and any issues make an issue on Github.
-
Awesome script! Worked like a charm! Keep up the good work!
-
Hey brother,
I'm trying to get your script running and I'm stuck at instruction #5.
I had copied the file over, ran chmod, restarted the service, and then ran debug but I got a bunch of errors and I thought it was because I didn't have the formatting correct on the file (edited it in wordpad) -- I deleted the PIAWireguard.py and got a proper file editor Notepad++, and have re-edited the file and uploaded it, ran chmod, and restarted the configd -- when I run debug, now I just get this error,
'command not found'.
thank you for providing this script -- I really hope I get it working soon =)
-
Hey Jonny, this script worked great, thanks!
-
Thanks for all the work on this script! I followed the instructions, and successfully established a VPN connection with PIA. I also used this guide to restrict the VPN usage to certain nodes:
https://imgur.com/gallery/JBf2RF6
It worked for me...mostly...
But systems using this connection refuse to connect to certain destinations. Notably, cnn.com doesn't work. Also, my Docker containers don't update using Watchtower when using this connection.
If I connect to PIA using PIA's client app (with Wireguard) on the same computers, everything works. So something is different when I connect using Wireguard on OPNsense.
Any ideas?
-
I noticed that a step had been added to the installation docs. Doing this seems to have fixed the problems I was encountering.
Last thing we need to set up is maximum MSS for TCP packets, which is 40 bytes smaller than the MTU of WireGuard, by default Wireguard uses 1420 bytes MTU. So we need to set an MSS maximum of 1380. (Without this you may have issues loading websites or slow speeds).
Goto Firewall: Settings: Normalization
1. Click Add
2. Interface select "WAN_PIAWG"
3. Enter Description of "Maximum MSS for PIA WireGuard Tunnel"
4. Max MSS to "1380"
5. Save (you will notice it'll now list this as OPT rather than the interface name, don't worry it's still correct, just edit it to verify you made the right selection)
-
Hey brother,
I'm trying to get your script running and I'm stuck at instruction #5.
I had copied the file over, ran chmod, restarted the service, and then ran debug but I got a bunch of errors and I thought it was because I didn't have the formatting correct on the file (edited it in wordpad) -- I deleted the PIAWireguard.py and got a proper file editor Notepad++, and have re-edited the file and uploaded it, ran chmod, and restarted the configd -- when I run debug, now I just get this error,
'command not found'.
thank you for providing this script -- I really hope I get it working soon =)
I ran into the same issue, then realized that it was due to Notepad++ using Windows-style line endings(CRLF) instead of Unix-style(LF). Changing the line endings inside of Notepad++ fixed the issue and re-uploading fixed the issue.
-
New to OPNsense but had no problem following along the guide and script and got the gateway online :) But then, the final step, Step 13 ... fail ... any clues on how to route all LAN traffic over the new wireguard gateway? Googling just ends up with a spattering of pages that don't match the current version 21.1.1 :(
-
New to OPNsense but had no problem following along the guide and script and got the gateway online :) But then, the final step, Step 13 ... fail ... any clues on how to route all LAN traffic over the new wireguard gateway? Googling just ends up with a spattering of pages that don't match the current version 21.1.1 :(
I followed this guide to set up the firewall rules, and it worked.
https://imgur.com/gallery/JBf2RF6
Hope this helps.
-
Excuse my (un)knowledge, but how do I edit PIAWireguard.py? Using Notepad++ makes the file look very... odd.
I feel like an only idiot not being able to figure this out... sorry.
-
Best to use a Python IDE. Google can give you options for your system
-
Well, I do have Visual Studio Code, because I use it for Powershell, so I loaded Phython in it (got it suggested), loaded the py file and... what now? What I see on Github is nice script where to enter data, and in VSC I see the pure code it seems. So yes, how do I edit that?
EDIT:
I managed to get it displayed in VSC properly, I don't really know how, but apparently downloading Github to the computer, then going through couple of clicks and loading the .py files so, it displayed correctly and I was able to save it. Wanted to copy via WinSCP to /conf/ and I got access denied. Not keen to changing permissions on a firewall folder(s) so I think I'll leave it be or get a VPN service that natively works with OpenVPN or Wireguard, without having to go through such scripts, if there is any. I ain't married to PIA...
-
Hi Kosta,
What account did you WinSCP with? it needs to be the root user.
I'll update the readme to say about the editing of the .py file and user to use WinSCP as.
EDIT: Updated
-
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard (https://github.com/FingerlessGlov3s/OPNsensePIAWireguard)
Any question just ask and any issues make an issue on Github.
**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**
I used this script to set up a PIA WG tunnel . Worked great ;D
Now I am hoping to set up multiple WG tunnels.
How would I go about this? The idea is a tunnel for US & UK in addition to my existing tunnel.
If I run the primary script again, will it break the existing connection? Do I need to go right back and create a new API for example, or can I start further along in the process?
-
**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**
I used this script to set up a PIA WG tunnel . Worked great ;D
Now I am hoping to set up multiple WG tunnels.
How would I go about this? The idea is a tunnel for US & UK in addition to my existing tunnel.
If I run the primary script again, will it break the existing connection? Do I need to go right back and create a new API for example, or can I start further along in the process?
It very simple to do :)
Make a copy of your current PIAWireguard.py, name it something like PIAWireguard_US.py then edit the below variables
opnsenseWGName = 'PIAUS'
opnsenseWGPort = "51816"
piaRegionId = "us_silicon_valley"Very important to change the WGName and WGPort!
Then you'll also need to add some new entries to the actions file, just need to add new actions for each region example below
"/usr/local/opnsense/service/conf/actions.d/actions_piawireguard.conf"
[piaWireGuardUS]
command:/conf/PIAWireguard_US.py
parameters: %s %s
type:script_output
message:Running PIA WireGuard US Script : /conf/PIAWireguard_US.py %s %s
description:PIA WireGuard US
Then reload the configd service
configd restart
Now you can run the script again and it'll create the next PIA WireGuard Interface, and follow the setup guide again, with the second PIA interface.
/conf/PIAWireguard_US.py debug
-
Thanks for the fast and informative reply. This is super helpful!
When I started working through these instructions, I noticed the actions file in action.d was missing.
I guess I had originally got WG up and running with another method found elsewhere. I don't even remember which set of instructions I followed it seems!
Anyway, I copied the file over into actions.d and removed the first entry since I must not have used it. So it starts with the PIAUS entry.
However when I typed in configd restart, I got Command not found in the shell.
*EDIT* - I did service configd restart as per the original instructions!
I copied and amended the previous Interface entry and updated the name.
Added the Gateway.
ran the script with debug changeserver
Enabled the Gateway, saved, and it was up and running.
I added an Alias to route certain URLs via this gateway (including 1 IP address checking site), and BINGO! All working :)
Many thanks for the added help & support!
-
I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.
Short term you may not find any issues, but long term you'll need the cron action for each tunnel.
Whats the action does it monitors the tunnel, if the tunnel goes down, for example the PIA server restarts for updates or maybe they retire that server, it'll then move the wireguard tunnel over to another PIA server in that region. When PIA restarts their servers, all peers will be lost as the server runs in RAM, so a full login on PIA side is required again. The action also makes sure the gateway IP is set, to allow traffic to route over the tunnel.
Also if your disconnected from PIA server for extended period of time they will remove you as a peer, so full authentication is required again. Unsure on the timescale but I think its 15 minutes or so. Which could happen if your WAN goes down or your updating OPNsense. The cron action will then make sure you get back up and running again.
Hope this helps :-)
-
I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.
For some reason I had not been able to set up a Cron job originally. I had attempted, but I think something was missing in one of the dropdown boxes.
I'm currently adding the 3rd WG connection. Once I have it running, I'll get back to the Cron job.
Although I'll have 3 WG gateways, the .py file will only be aware of 2 of them, since I had obviously set the first up a different way. I guess I might have to add the initial wg0 info manually to that file. Will experiment as the day goes on!
-
Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).
I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.
However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information
Not sure what that means, and I can't find other errors. The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.
Any suggestions?
-
Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).
I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.
However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information
Not sure what that means, and I can't find other errors. The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.
Any suggestions?
The part is failing on is sending PIA server your public key and PIA token in turn for the connection information.
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/blob/6f839bf952b0dfe5f967ba0edb4c2b3ce9c37abf/PIAWireguard.py#L399
I would assume an issue with opnsenseWGPubkey the script is retrieving from OPNsense. Does the script pick it up correctly? The script does print this information when in debug mode.
I can provide remote support if required.
-
You're really on the ball - thanks for monitoring this thread so closely!
A little more playing around and I currently have all gateways up and running again.
One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to Opnsense. Schoolboy error I'm afraid :-[
I'm now showing 3 different public IP addresses.
Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules. Still trying to get the hang of those, but so far the UK streaming sites are not working for me.
-
You're really on the ball - thanks for monitoring this thread so closely!
A little more playing around and I currently have all gateways up and running again.
One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to OPNsense. Schoolboy error I'm afraid :-[
I'm now showing 3 different public IP addresses.
Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules. Still trying to get the hang of those, but so far the UK streaming sites are not working for me.
Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.
Cron Jobs should be pretty easy.
Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.
-
Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.
Cron Jobs should be pretty easy.
Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.
Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well. So I guess that's good.
I have selected the uk_2 server for British streaming.
I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.
I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks) in order to route the DNS appropriately. In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0 (https://forum.opnsense.org/index.php?topic=24416.0), but as yet don't have it working.
-
Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well. So I guess that's good.
I have selected the uk_2 server for British streaming.
I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.
I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks) in order to route the DNS appropriately. In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0 (https://forum.opnsense.org/index.php?topic=24416.0), but as yet don't have it working.
Sounds like your on the right tracks now. Just create the cron jobs to run each of those actions every 5 or 10 minutes.
DNS wise... what you need to do is set the PIA DNS on the clients via DHCP (or manually), to 10.0.0.243, then in the firewall rules, you allow traffic to 10.0.0.243 but using PIA gateway you need. That should then push the DNS traffic down the tunnel to the DNS server for that region :-)
Also this may be handy information.
https://www.privateinternetaccess.com/helpdesk/kb/articles/streaming-with-pia
-
I am trying to do URL-based routing. Perhaps what I am attempting is not quite possible.
For any given client, if you enter CNN.com you will be routed via the US VPN gateway.
On the same client if you enter bbc.com you will be routed via the UK VPN gateway.
For all other destinations, routing is down on the default VON gateway unless the client device is in my exclude list.
The exclude list is a direct WAN connection to the ISP.
The goal is to enable automatic routing behind the scenes. It is working for basic websites, but not the streaming platforms.
I feel like I'm so close...
-
Hmm...I've installed the latest version of the script, and it has stopped working for me. I've done something stupid, I'm sure, but I don't know what.
Can anyone help?root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/conf/PIAWireguard.py", line 202, in <module>
r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #
-
Hmm...I've installed the latest version of the script, and it has stopped working for me. I've done something stupid, I'm sure, but I don't know what.
Can anyone help?root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/conf/PIAWireguard.py", line 202, in <module>
r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #
Error messages are saying they can't connect to the web interface.
Have you changed its port?
-
Error messages are saying they can't connect to the web interface.
Have you changed its port?
[/quote]
Wow, thanks for the instantaneous reply and solution!
I had changed from https to http, and hadn't changed the line in PIAWireguard.json.
It's working now!
-
Error messages are saying they can't connect to the web interface.
Have you changed its port?
Wow, thanks for the instantaneous reply and solution!
I had changed from https to http, and hadn't changed the line in PIAWireguard.json.
It's working now!
[/quote]
Glad to hear it's working 💪
-
FG,
I am trying to add my second tunnel according to your instructions on the bottom of page one, but I am getting the same error as Learning:
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information
A search on the word 'exchnage' shows the script is choking at line 575.
I have a different name, port, and region ID in PIAWireguard.json, and I've renamed the script to indicate the different region so I don't get confused (and added the action lines as well).
This is the output:
WGInstanceUUID:
WGPeerUUID:
WGInstance:
WGPeer:
WGPeer is blank but this isn't an issue
metaServer
toronto438
178.249.214.97
wgServer
toronto438
178.249.214.109
Your PIA Token (Meta), DO NOT GIVE THIS TO ANYONE
{
"status": "OK",
"token": "redacted"
}
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information
Your previous comment mentions that the script prints out `opnsenseWGPubkey` but I don't see that displayed in the debug output or have any reason to believe it's incorrect (?).
Any other ideas? I don't know how to interact with PIA's API to get my own wireguard key and set it all up manually (but I suppose I could read your URLs and figure that out :P )
The script worked perfectly on the first tunnel, so thanks for all the hard work!
Cheers!
-
Okay it turns out that opnsenseWGName was the issue. I named it PIA_toronto, which apparently was causing the script to pull my existing PIA config from OPNsense. When the script asked for a new wireguard key (using an existing WG public key), PIA refused the creation and caused the script to fail.
So, I changed opnsenseWGName to PIACA, and it created the interface just fine.
Not sure if the API doesn't like the underscore or the small caps ... but removing both allowed me to move forward!
-
Also, just in case you're trying to get port forwarding working...
I still had problems port forwarding over Wireguard running OPNSense 22, and solved using steps in the github issue:
https://github.com/opnsense/core/issues/4389 (https://github.com/opnsense/core/issues/4389)
The solution posted there works, but I had to switch over to the OPNSense Development branch in order for it to work.
No idea why this is such a problem (still)...
-
Okay it turns out that opnsenseWGName was the issue. I named it PIA_toronto, which apparently was causing the script to pull my existing PIA config from OPNsense. When the script asked for a new wireguard key (using an existing WG public key), PIA refused the creation and caused the script to fail.
So, I changed opnsenseWGName to PIACA, and it created the interface just fine.
Not sure if the API doesn't like the underscore or the small caps ... but removing both allowed me to move forward!
I had exact same issue and I reported over github via https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/issues/24
I am glad he has added the check in the code now for opnsenseWGName
-
Hi FingerlessGloves... thanks very much for your efforts on this.
I'm running into some issues getting this running... when I set up the user per your guide, there is no option to add 'Effective Privileges' (just edit, and only GUI based option available to select) [I'm running OPNSense 22.1.10]
I skipped ahead anyway... all good until I ran /conf/PIAWireguard.py debug as which point i get the message searchServer request failed non 200 status code - listing wireguard instances
I'm assuming this is why when I go to Interfaces: Assignments there is no wg0 option available.
I do note that I am successfully running Tailscale on my OPNSense (which is WireGuard based), I case this might cause issues.
Any suggestions?
-
*facepalm*
All sorted... didn't scroll properly in the list of 'Effective Privileges'. Now found, added and all working.
-
Hi,
I am pretty much a nub with opnsense, but I got this all working with my setup. I am sending a specific ip address out to the interface. I tested a reboot tho and on reboot the interface defaults to the normal lan interface. not using the vpn. Not sure why. Any thoughts?
After the reboot I can get it working again by ssh to the router and running the "PIAWireguard.py debug changeserver" command. After that the source ip traffic goes through the vpn again.
Thanks.
--pat
Versions OPNsense 22.7.8-amd64
FreeBSD 13.1-RELEASE-p3
OpenSSL 1.1.1s 1 Nov 2022
**Update**
It appears to me that the vpn interface eventually comes up after a boot. It just takes a bit of time before it's active. Maybe 5 minutes for the cron job to kick in? If this is true for everyone people might not be vpn protected for the first few minutes of a reboot unless they have the "kill switch" from step 11
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
-
Unable to get my gateway monitor to connect. It was running fine overnight, but when I woke up this morning it was in this "defunct" state. Also when I restarted it using /conf/PIAWireguard.py, I saw that it was getting timeout connection errors to serverlist.piaservers.net on port 443... Help me Obi-Wan Kenobi, you're my only hope!
Version
OPNsense 22.7.11-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
-
I wonder if this script will work if i have an existing wireguard server set up in my opnsense?
Also, does it work in a dual wan environment?
Thank you.
-
The script adds an additional interface, so it won't break your existing WG server. Dual Wan is supported, check out the git repo's Readme.
-
Feature request -- although I may be the only one in the world who needs this:
When my router reboots, or the cron job runs with "changesever", I sometimes lose access to my IPTV streams. Apparently, the IPTV provider is blocking one or more PIA server IP addresses within the region I'm using. I can fix it by running the script manually with "changeserver", so that it selects a different PIA server within the same region.
However, it would be nice if the script would accept a blocklist of specific server IP addresses to bypass, perhaps in the json file.
Or...is there a way to accomplish this with the existing script?