OPNsense Forum
English Forums => Virtual private networks => Topic started by: chulio on January 05, 2021, 10:34:11 pm
-
Dear opnsense friends,
I'm trying to move from OpenWrt to OPNsense for my main FW/router (VM in proxmox, with 3 NICs passthrough).
Having several VLANs running, OpenVPN servers and OpenVPN clients (split tunnel) and trying to get Wireguard servers and clients (some split), igmp... and I used in the past also another *sense FW/Router (w/o Wireguard, that's why I changed to OpenWrt and now thinking to move to OPNsense).
My WG servers and endpoints are as well on an OpenWrt FW/router (abroad, no HW access) or other devices. So, with OpenWrt everthing works always, never had an issue.
However, when it comes to Wireguard on OPNsense I observed bizarre things.
- On my first attempt, after having set up VLANs, igmp blabla and 2 wg servers and 1 wg client, the client worked, both wg servers no handshake. I used various tutorials found on the opnsense docs, web, forum (although my initial one should have worked, analogous firewall/NAT stuff to OpenVPN servers and clients).
- So I took a fresh install without VLANs and just installed 1 wg server and 1 wg client, both showed handshake (hurray), but there was no data flow on the connection via client ?
Before I come up with my wg configuration details, is there something magic to take into account with regard to wireguard compared to openvpn (fw/nat) to make it run or are several wg servers and wg clients currently problematic on opnsense (no offense, just asking) ?
I'm obviously not an expert, just trying to achieve what we need.
Thanks a lot for your patience in advance.
cheers chulio
-
I dont use vlans but have multiple clients connected to and from my opnsense. Not sure if that help.
Also in WG there is no server-client model, everything is just a client. IP roaming is possible on both sides as a result.
P
-
Thanks for your answer, this is encouraging !
Yes exactly, what experts call "peers".
At the moment, I've set-up a home lab with 3 routers (1 playing ISP, 1 site A and 1 site B).
With sites A and B using OpenWrt it works perfectly in any direction via VLANs and so on (reference point).
So I erased OpenWrt from "site A" and replaced it with a clean OPNsense 20.7.7 (APU2E4).
- the two wg "servers" work
- the one wg "client" does not work
-> although it's the first wg tunnel establishing a handshake
-> inspection of rules showing no packets (very strange, as on the VM this one works and the other two "servers" don't work - I've read that OpenVPN and WG may trouble each other, I don't understand).
At the moment it's driving me nuts, because it should be simple with NAT and rules... before this is not solved, I'm not going to set up any VLAN, OpenVPN or anything else.
cheers chulio
-
Ok, I made all wg "servers" and "clients" WORK on the
- test-lab (1 fw/router playing ISP, 1 site B (OpenWrt) and 1 site A (OPNsense), as well as
- on the production machine (VM OPNsense, real site A) which I can easily switch back to the VM OpenWrt
- with OpenVPN servers and clients (split tunnel) turned off
(just to repeat 2x wg servers and 1x wg client (on site A), the client requiring a gateway in order to access the remote wg server (site B) via a VLAN network (site A))
However, as soon as I turn on the OpenVPN client (different port of course, etc) incl gateway (as I need it for split tunneling), the OpenVPN client works as expected,
1) wg "client" works
2) wg "servers" get handshake -> wg clients connect, but then no signal goes through the wg tunnel !
A) So why is no signal going out from the wg (server) tunnels as soon as OpenVPN client is turned on ?
B) How can I solve this (firewall rules), what information do you need ?
C) When B) solved, how do I force a wg server to "sit" on a VLAN and not on LAN (I could of course block the LAN access and let it use the internet only) ?
This is what I'm trying to achieve with OPNsense (which currently works with OpenWrt), attached.
Many thanks, and
cheers chulio
-
I found the solution the issue, that when turning on OpenVPN (client) all Wireguard "servers" never received a handshake.
Unfortunately I lost many many hours.
The solution is to tick "Don't pull routes" in the OpenVPN client (even if in my case in the *.ovpn file I use route no-pull in order to create a split tunnel with selected networks).
Maybe that helps others who ran into the same problem.
cheers chulio
-
I found the solution the issue, that when turning on OpenVPN (client) all Wireguard "servers" never received a handshake.
Unfortunately I lost many many hours.
The solution is to tick "Don't pull routes" in the OpenVPN client (even if in my case in the *.ovpn file I use route no-pull in order to create a split tunnel with selected networks).
Maybe that helps others who ran into the same problem.
cheers chulio
@chulio
Thank you for your crucial hint!!!
This has already cost me dozens of hours and nerves.
Wireguard with another VPN provider (Surfshark) is now "running" on the OPNSense.
*
But... a leaktest with the OPNSenes is OK and the IP address checker NOT Protect and the same on the Android client.
Can someone help, how can I solve this problem and what did I miss?
Greetings from Germany