OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: besecur3man on March 18, 2021, 11:05:37 am
-
Hello,
I have a OPNSense setup with 2 WANs configured.
We currently run OpenVPN with OpenVPN server running on localhost on the OPNSense box. Clients can connect via either WAN to access hosts on the LAN interface and while it's not seamless failover, should one of the WANs be down/or go down, clients can connect/reconnect via the other WAN. And OpenVPN client, well at least on Linux, will retry connecting with each server IP, if multiple server IPs are configured.
I setup WireGuard on the OPNSense box using the tutorial at https://docs.opnsense.org/manual/how-tos/wireguard-client.html (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) and I am able to connect and access the LAN side hosts, etc. However, it only works with the WAN which is currently the default gateway. If that WAN is down, then OPNSense switches the default gateway (gateway switching is enabled) and WireGuard peers can utilize the 2nd WAN to connect. However, as long as WAN1 is "up", peers cannot connect to WAN2. Well, actually the peers appear to be able to connect to WAN2 but traffic isn't properly received (a few bytes are received but no network services such as ping, ssh, etc. work).
Can anyone point me in the right direction of how to setup WireGuard on OPNSense such that peers can connect to either WAN interface regardless of the status of the other WAN interface?
Thank you.
-
It's currently unsupported in the wireguard-go implementation. You need default gateway switching and 2 profiles on your clients. When first ist unaccessable use second one.
-
Thank you for your response. I don't mind the two profiles on the client side, in fact that is pretty much all I hoped to accomplish.
The issue I am having is that when remote peers connect using WAN2, the connections fail, since all return traffic is set to exit from WAN1 which is the default gateway. And I can't seem to figure out how to tell OPNSense to send traffic back out of the WAN interface it came in from. I have 2 port forward rules under Firewall --> NAT --> Port Forward, one for each WAN interface. Under Firewall --> Rules --> WireGuard, I have one rule to allow traffic from the WireGuard peers to LAN. This rule has the Gateway set to "default".
I tried creating two explicit Firewall rules to allow traffic from the WireGuard peers to LAN, with the Gateway in each rule set to one of the WAN interfaces, but that stops the peers from connecting completely to either WAN.
I can't figure out how to get OPNSense to route the packets back to the WireGuard peers connected to WAN2 when WAN1 is the default gateway and is currently up.
-
It wont work this way. The interface WG creates doesn't support these features which are known to work in OpenVPN etc. The only way is:
- All users use WAN1 as default
- Only if WAN1 fails they have to use WAN2
- When WAN1 is back, all users get kicked and should switch to WAN1
It wont work in a different way ...
-
Understood, thank you for clarifying that. That answers my question.
Seems to me, out of the box, WireGuard is better suited for more static, tightly controlled use cases such as site-to-site tunnels, as opposed to dynamic less controlled environments such as road warrior setups and/or BYODs, etc.
-
It wont work this way. The interface WG creates doesn't support these features which are known to work in OpenVPN etc. The only way is:
- All users use WAN1 as default
- Only if WAN1 fails they have to use WAN2
- When WAN1 is back, all users get kicked and should switch to WAN1
It wont work in a different way ...
Will a site-to-site setup with WireGuard work with multiwan? Or is that also not possible at this time?
The setup I am looking for is as follows:
Remote office: OPNSense firewall with 2 WANs load balanced
Cloud VPC: Debian host running WireGuard
Desired behavior: Remote office OPNSense establishes site-to-site VPN tunnels with the WireGuard instance in the cloud VPC using both WANs, and then traffic intended for the VPC network is load balanced across both tunnels.
-
Only when both sites have dual wan, and with dynamic routing inside. But I never did it with Wireguard
-
Hi,
is this limitation still present with OPNsense 21.7?
Kind Regards,
citydweller