OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: beclar2 on April 10, 2021, 04:25:07 pm
-
Hi all,
I am quite new to Sensei and it looks very promising so far!
But I have a problem with the protection of Wireguard Interfaces: The Sensei engine doesn´t recognize any traffic on the Wireguard Interfaces (here wg0 und wg1). They can be activated as "Protected Interfaces" and they are shown unter Sensei - Status - Network Interfaces.
But all traffic counters of the wg-Interfaces rest at 0 and reports dont mention any Wireguard related activity.
I am on OPNsense 21.1.4 using wireguard-kmod (NOT wireguard-go userspace). Sensei Engine is 1.8.2, Routed Mode (L3 Mode, Reporting + Blocking) with native netmap driver.
Any hints what could be wrong?
Thank you very much in advance,
Beclar
-
@beclar2
have also with us with almost the same setting no success
to protect the Wireguard interface with Sensei.
But we are happy that the hardworking OPNsense and Sensei developers are working hard on this topic - so we exercise patience and look forward to what is coming...
Greetings from Germany
-
Yup, I'm seeing the same thing. No Sensei protection on my WG0 interface.
-
Hi @Giant850, thanks for the heads-up.
It looks like wireguard-kmod introduces a brand-new interface if_wg, whereas the wireguard-go uses the tun interface.
https://git.zx2c4.com/wireguard-freebsd/tree/src/if_wg.c
This interface does not have netmap support. Let us see what we can do about this.
-
Ui, that is a bad regression for everyone who likes to enjoy the speed of wireguard kmod in combination with the ease of Sensei.
Let‘s hope the devs will soon find a solution.
Best regards
Beclar
-
Just a little follow up for the records:
At the moment it seems that we have two options to let Sensei monitor/control Wireguard Road Warriors: Switch back to wireguard-go in OPNsense (= not using wireguard-kmod) or set up a dedicated Wireguard router (separate from OPNsense) and bridge it to an separate interface in OPNsense.
I tried the second approach on an Proxmox Host and it is working fine: Virtualized OPNSense has now a separate "normal" virtual NIC for Wireguard-Traffic. An Archlinux-VM with Wireguard kernel support (part of the recent Archlinux kernel) is managing all Wireguard connections (with port forward from WAN to the Wireguard listening port). The VM forwards all traffic from the clients to the Wireguard subnet via OPNSense´s virtual Wireguard NIC.
Both virtual NICs (OPNSense and Archlinux-VM) are bridged on the Proxmox Host.
With this setting all traffic vom Wireguard Road Warriors is routed through the Wireguard-NIC in OPNSense and can be monitored / controlled by Sensei (the Wireguard-NIC in the OPNSense-VM is considered as a "normal" virtual NIC).
Okay, this is no quick & dirty workaround (especially not quick). And of course only easy to set up with virtual machines where you can simply add virtual NICs etc. On the other side you can separate the Wireguard tunnel handling from OPNSense and may choose your preferred WG implementation (with the extra effort of maintaining one more VM).
-
Hi
I am not quite sure why we need sensei to monitor the wireguard interface in Wireguard Road Warriors setup? as in this setup the wireguard interface just act like your WAN, where sensei is a lan packet filter/report tool?
if we really want to secure the wireguard interface, shall we not use opnsense IDS? thanks
-
Hi Renault,
Sometimes, the firewall is deployed in the cloud and the whole local traffic might be routed through the VPN tunnel to the firewall. In this case, VPN interface is your LAN :)
-
I am not quite sure why we need sensei to monitor the wireguard interface in Wireguard Road Warriors setup? as in this setup the wireguard interface just act like your WAN, where sensei is a lan packet filter/report tool?
if we really want to secure the wireguard interface, shall we not use opnsense IDS? thanks
Another use case for Sensei: Securing/filtering/logging of road warrior devices, e.g. smartphones of the kids outside the local wlan (using mobile data or public wlans). With my setup above Sensei controls the traffic of these devices the same way if they are connected at home via wlan or on the road via wireguard.
Edit: Oh yes, that’s the scenario described by MB. :)