Messages

'route-to' is different from 'reply-to'. This rule allows outgoing connections and routes them via the specified gateway.
There should also be a 'pass in' rule which allows incoming connections on the "WAN_RoutedIP" interface. And this rule should have the 'reply-to' tag.

Ah I wasn't quite sure but that makes more sense about route-to and reply-to, thank you for the clarification

I've now gone over all the rules and looked for reply-to which isn't there.

I'm 50/50 if WireGuard should be used in production when its in its GO version, but once its in kernel space, should get less issues, as its sorta native to the OS then.

Anyway please try keep this topic on topic. I don't believe its just WireGuard that's effected by this odd issue with the reply-to. I think I read in IRC someone else tried it with GRE and got same results but this was months ago now.

If other can replicate the issue, confirm my findings and if they are the same, then something is up.

```
pass out log route-to (vtnet0 31.31.31.254) inet from 31.31.31.1 to ! (vtnet0:network) flags S/SA keep state allow-opts label "2f613a9ac318a59b487c1251230f5a27"
pass out log route-to (wg1 51.51.51.254) inet from 51.51.51.10 to ! (wg0:network) flags S/SA keep state allow-opts label "6dd6ab373ac72f668fb2f29d408b0231"
```

I was looking at the pf rules and I wondered how do you expand (wg0:network) or way of finding what its expanding it too? cause if its applying that route to traffic not going too (wg0:network), then does expand is going to something like 0.0.0.0/0, which would be the rule wouldn't apply. In theory it should expanding too 51.51.51.10/32 🤔

Make sure you've enabled logging on your allow rules and see if you can see the ping traffic both ends.

You connect to it as you would any NordVPN OpenVPN server from the looks of their support pages.

Dedicated IPs only work with OpenVPN, so just connect to the right server.

Hi Guys,

I'm not sure if this is a bug with reply-to or misconfiguration somewhere. I've had others doing this same setup and get the same issue, the traffic returns out of the WAN instead of back over the WireGuard tunnel.

The Setup

OPNsense 1 is in a DC with two public IPs say 51.51.51.1 and 51.51.51.10.
The WAN interface is 51.51.51.1, with a gateway of 51.51.51.254.
51.51.51.10 has been set as a Proxy ARP virtual IP on the WAN interface.
I have then created a WireGuard local on this OPNsense with the IP of 10.0.0.1, I then added a WireGuard peer of another OPNsense box (OPNsense 2). The AllowedIPs of this peer is just 51.51.51.10.
This WireGuard tunnel interface is named "WG_RoutedIP"
I have then created a WAN rule to allow any traffic to 51.51.51.10 to pass, and I also created a ANY to ANY rule on the WG_RoutedIP interface.

OPNsense 2 at home or office etc
WAN interface is 31.31.31.1 with gateway of 31.31.31.254
I have then created a WireGuard local on this OPNsense with the IP of 51.51.51.10, I have Disable Routes ticked and then a gateway of 51.51.51.254 set.
I then added a WireGuard peer of another OPNsense box (OPNsense 1). The AllowedIPs of this peer is 0.0.0.0/0.
This WireGuard tunnel interface is named "WAN_RoutedIP"
I have then create gateway on WAN_RoutedIP using 51.51.51.254 as the far gateway and corresponding NAT rule.

If you set a client to use this new routed IP WAN, as a gateway using a gateway policy rule, the traffic works and I can browse the internet fine as 51.51.51.10.

If you allow the HTTPS WebUI or do a port forward then try browse to 51.51.51.10 from a PC that's not be hide either OPNsense box, you can see the traffic go through OPNsense 1, then hit OPNsense 2. Client can not connect, so I then looked at the traffic going over the WAN of OPNsense 2 and I can see the return traffic is exiting out of the WAN not WAN_RoutedIP, so this would point to reply-to not being enabled but it is.

If I run pfctl -s all, I believe the reply-to rule is there if I'm looking at the right thing
```
pass out log route-to (vtnet0 31.31.31.254) inet from 31.31.31.1 to ! (vtnet0:network) flags S/SA keep state allow-opts label "2f613a9ac318a59b487c1251230f5a27"
pass out log route-to (wg1 51.51.51.254) inet from 51.51.51.10 to ! (wg0:network) flags S/SA keep state allow-opts label "6dd6ab373ac72f668fb2f29d408b0231"
```

Note: IPs have been changed to simplify the setup and show clear distinctions.

Hopefully someone knows what's going on here!

FingerlessGloves

I have to disappoint, but Bavaria already has all the beer in the world to push through.  ;D


Cheers,
Franco

I'm sure a pizza would help soak up the beer, so he can get through all this beer easier 😋

I'm all in  8)

Where do I donate beer money or late late `git push` energy drinks  :P

Hi Guys,

I'm trying to setup DSCP for Teams traffic, but I need DSCP value 46, is Expedited Forwarding, what I'm after?

I believe it is but good to double check.

Screenshot of rule attached.

I've had 2 Qotom devices and current one is the Q535G6 u7100

Mine doesn't do this, which one do you have?

There's a script to manage the PIA WireGuard tunnel for you. (Created by me)

This is what Chrome used to setup the PIA WireGuard  ;)

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

My OpenVPN speed is roughly 3x that of WG on Mullvad, despite the overhead, when connecting to endpoints in the same city + hosting provider (e.g. M247) + CIDR.

OPNsense's WireGuard is currently using the GO implementation so its not kernel level yet, so the performance isn't what it can be.

Hopefully the FreeBSD kernel module will get finished and hit stable some day soon which then can be incorporated in to OPNsense, and we'll get much better WireGuard bandwidth and latency.

Kernel Module Source
https://git.zx2c4.com/wireguard-freebsd/

Hi Guys,

I've written a python script for OPNsense that allows you to use WireGuard and PIA's Next Gen servers.
The script will make sure your PIA wireguard tunnel is up and will change server if required as well.

Please see my Github page for the guide and the script.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

Any question just ask and any issues make an issue on Github.

It's my Repo 😉 OP "I've made this script"

The script has an exit code of 0, when its ran in the terminal. If I can record the stdout of the script when OPNsense cron runs it I might give me a stacktrace for the issue but I can't replicate the issue in the terminal annoying.

Is there anyway at all to get the stdout/stderr out of the OPNsense cron?

EDIT:
Forgot about Try Catch, used that and found the issue 😅. Silly working path issue typical lol

Hi Guys.

I've made this script for PIA and Wireguard, its nearly 100% working I've got one bug.

When the script gets run by OPNsense's cron, it'll error when I've got the script's portfowarding enabled. Then when I run the python script in the terminal it doesn't error and the exit code is 0.

So with the port forwarding for PIA, you need to refresh the port on the server every 15 minutes to keep it active, so the script will wait for 599 seconds to pass and then tell the API on the WireGuard server you still want that port.

When the 599 seconds has passed, that's when the error occurs on OPNsense, if I then run the script in the terminal it doesn't error, the timer is reset and OPNsense won't error running the script til the time is up again.

How would I go about trying to debug what out the script is getting when ran by OPNsense cron?
I'm after the stdout or stderr, if that's able to be logged by the cron?

Code Select Expand

Script action failed with Command '/conf/PIAWireguard.py' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/conf/PIAWireguard.py' returned non-zero exit status 1.

Code: https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

I made a guide for this for someone on IRC while back.

May not be the best way but it does work. Just do your rules to match your required configuration.

https://imgur.com/gallery/JBf2RF6