OPNsense Forum
English Forums => Virtual private networks => Topic started by: chuliu on January 25, 2023, 09:16:04 am
-
I finally got wireguard working on my opnsense with dual wan after a lot of trial and error and I thought I would share my setup here for others who encounter issues with wireguard on a dual wan opnsense. I would also like to ask if port forward is needed for your configuration as it is needed for me.
I have dual ftth connections both with dhcp public ip at home. I would like to access the gui of opnsense firewall with wireguard when I am outside of my home. I set up two gateway groups named failover 1 and failover 2 with one of the ftth served as a backup for the other. I have one LAN interface 192.168.86.0/24 with dhcp server enabled. The wireguard server is set up with internal ip 10.10.10.0/24. I created an interface for wireguard named mywireguard. Wan2 is my active (default) gateway as shown in the system->gateways->single.
Here is the server and client setup for my opnserver:
[server]
local tab:
listen port 51820
tunnel address 10.10.10.0/24
peers: myiphone, mymacbook, mypc
endpoints:
myiphone:
allowed ips 10.10.10.3/32
mymacbook:
allowed ips: 10.10.10.2/32
mypc:
allowed ips: 10.10.10.4/32
[client] I take my iphone as an example
[Interface]
PrivateKey = x
ListenPort = 51820
Address = 10.10.10.3/32
DNS = 1.1.1.1
[Peer]
PublicKey = x
AllowedIPs = 192.168.86.0/24, 10.10.10.1/32
Endpoint = mywan2_ip:51820
[port forward rule]
interface : wan2
tcp/ip version : ip4
protocol : udp
destination : wan2 address
destination port range : 51820 to 51820
redirect target ip : 192.168.86.0
redirect traget port : 51820
[nat outbound rule]
interface : wan2
tcp/ip version: ip4
protocol : udp
source address: mywireguard net
source port : any
destination address : wan2 address
destination port : any
translation target : interface address
[firewall rule wan2]
automatically created when I created port forward rule
[firewall rule mywireguard]
action : pass
quick : checked
interface : mywireguard
direction : in
tcp/ip version : ip4
protocol : any
source: mywireguard net
destination : any
destinatiny port range: any to any
Please note that the endpoint that I set up in my client app on my iphone is my wan2 ip. This is because wan2 is my default gateway for some reason and I read somewhere that wireguard only work with the default gateway in a dual wan setup. I see it in system->gateways->single as wan2 is marked with active. I would appreciate if someone can tell me how it decides which gateway is active.
Also, I needed to set up a port forward rule for wireguard to work. This is not the case as I checked on the online documents on opnsense web site. That article is titled set up wireguard road warrior. Let me know if you have to set up a port forwarding rule for it to work.
Thanks.