Messages

I like the way ipfire uses zones with color codes to define the network.

WAN and LAN exist in OPNsense and correlate to red and green zones in ipfire.

In ipfire they use orange for a DMZ and Blue for wireless clients.

To mimic this, would I do the default installation on my quad port network card with WAN and LAN and then configure my OPT1 interface to be let's say Blue/Wireless and the last port I would add another interface and configure that as the DMZ?

Then I would attach my WAP to the blue/opt1 interface and create rules accordingly?

I'm probably over thinking this :)

Thank you both for the clarification.

I read that pfsense runs the web interface and php as root.

With opnsense being a fork of pfsense, does it also do this?

Pfsense gave me an explanation the other day of basically it is a big effort and massive undertaking to change this.

I believe this is true, but my question is how much does it matter? My understanding is that best practice is to never do this. But yet, it is still accepted I guess with the idea that because the webui isn't accessible to the internet by default that it isn't a real risk.

What does opnsense do and if it runs these services as root, what is the reasoning?

maybe you are affected by this? https://github.com/opnsense/plugins/issues/1419#issuecomment-513491826

Switching the endpoints on the server to /32 seems to have resolved the issue! /32 actually makes more sense to me me and I never understood why all the articles I saw used /24.

I didn't change the client to /32 but I will try that anyway I guess because it just sounds right.

But thank you, your link seems to have solved the problem.

So I just confirmed that the second client I added still works. The first device is an android phone and it worked and then stopped. The second device is a laptop which is tethered to the Android device (without wireguard running of course) and it connects and traffic flows as expected.
So odd.

Thanks again for all your hard work on this and other plugins

It all of the sudden just stopped working. I can't understand why. I tried rebooting opnsense and the Android device. I haven't changed any settings other than adding another endpoint device. I will test that one in a few minutes and see if it works.

I also noticed that while I added the any any rules to the opt2 interface (wg0) and everything started flowing.. there is also now wireguard listed under firewall rules and it had no rule.. so I added an any any rule there just now and it didn't make a difference.

It worked all day yesterday and stopped sometime late last night

Thanks again for all your hard work on this and other plugins

Nevermind. I found it. I added an any any permit rule to opt2 interface and now traffic is flowing. I can ping opnsense up and wireguard server up from the client now.

I can also reach the internet through the tunnel. Thanks!!

Have you add a rule for the "interface" wireguard to pass the traffic?
When i first configure the wireguard-connection, i wonder why there are successful handshakes between server and peer, but no traffic incoming. So i check this and found, that there is no "pass all"-rule. And now it's working.

Where did you add the rule and what are the rule details. I think this is my problem.

The interface is named opt2 for wg0.

I tried pointing the wg0 server address from the Android client and I looks like it is blocked in the firewall log?

filterlog: 11,,,0,wg0,match,block,in,4,0x0,,64,18553,0,DF,1,icmp,84,172.16.5.2,172.16.5.1,datalength=64

I used the doc here to configure wireguard.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I am connecting an Android client and it seems to connect to the server fine but traffic send to only be sent and not received.

What could be wrong? I cannot get to the Web interface of opnsense when connected to the time or the internet.

I configured the client to use 0.0.0.0/0 for allowed ip's.

On the endpoint config I have allowed ip's set to the client_ip/24

I added the interface wg0 to assignments and enabled it with prevent removal.

I added the NAT rule for outbound NAT

I created the WAN firewall rule

I'm not sure what I could be missing... I expected at the very least to get to the webui of opnsense and maybe have a dns issue but I can't even get to that.

I came across the doc here

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I apologize, I was testing the wireguard Plugin really early on and had a bunch of trouble. For some reason I thought this article may have been old and possibly outdated.

I will use this to attempt setting it up now that it is included in 19.7

Is there a tutorial or doc on how to configure the new wireguard Plugin in 19.7 for road warrior?

Thanks. I tried adding that as well and internet access still doesn't work over the tunnel. I'll have to dig deeper.. maybe it is being blocked somewhere.

I get the feeling it may be dns related so I'll try to go to an IP and see if I can get out. That should point me in the right direction

It works now. Thanks again!

Thanks. I tried adding that as well and internet access still doesn't work over the tunnel. I'll have to dig deeper.. maybe it is being blocked somewhere.

I get the feeling it may be dns related so I'll try to go to an IP and see if I can get out. That should point me in the right direction