Messages

I too lost connection to Mullvad through Wireguard after updating to 23.7.3 ( only after reboot ). But switching to the wireguard-go implementation instead of the kernel one, brought the connection back, without any changes to the configuration. If I switch back to the kernel implementation it will work until I reboot. So it seems something must have changed in the latest versions regarding the os-wireguard plugin compared to before, because as far as I recall nothing in my WG config has.

[from the Internet]

I want port 140 to be accessible on that linux device from the Internet

Which external ip-address are you trying to access, your normal WAN ip or the Surfshark one? The latter wont work since the port forward needs to be done at Shurfshark, which they don't support ( https://surfshark.com/blog/vpn-port-forwarding#vpn-clients-and-vpn-port-forwarding ).

If you get a public ip-address from your ISP, then it should be as simple as creating a port forward rule on your WAN interface for port 140 pointing to the clients internal ip. But if your ISP does Carrier-grade NAT (CGN or CGNAT), then this will not work.

Reading it from the backup file should be pretty easy if the data is stored there. Below an example of how to read the expiration date for the self-signed web cert from the backup xml-file. This uses xmllint to parse the xml-file, decodes the <crt> node and passes the result to openssl x509 to display the data

Code Select Expand

xmllint --xpath '/opnsense/cert/crt/text()' config-file.xml | base64 -d | openssl x509 -noout -subject -enddate

Don't have any VPN certificates stored on my own setup, so adjust the xpath for the correct node, and of course the name of the input file. 

The way I've done it is

• assign static leases for the devices in DHCP
• put the ( now known ) ip-addresses in an alias
• use the alias in rules to block/allow access

It depends on the next number, from Wikipedia :
100.64.0.0/10    100.64.0.0–100.127.255.255    Private network    Shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT.

And if that is the case, then you're  out of luck as far as ipv4 connectivity is concerned. You should check with your ISP if this is the case also ask if they  offer ipv6, because if all your devices are configured for it, then that might work.

As a last resort one could try a VPN service that allows port-forwarding

Maybe asking some obvious questions, but:

• Has the fiber modem/router been set to bridge mode?
• Does WAN on OPNsense receive a public ip-address and nothing in the 10.x.x.x / 172.16.x.x / 192.168.x.x ranges?
• The Nokia beacon is connected to OPNsense?

And no, you don't need a static ip-address from your ISP

In the meantime you can use the Custom-option, just set the server address to: freedns.afraid.org
Set the protocol to DynDns2, or leave it empty. The latter will work although it registers as a warning in the log,

Code Select Expand

file /usr/local/etc/ddclient.conf, line 17: Invalid Value for keyword 'protocol' = ''

There is an API for the Wireguard plugin : https://docs.opnsense.org/development/api/plugins/wireguard.html

Haven't played around with it much though, so not much help as far as usage goes. Got so far playing around with Postman that I could get a list of endpoints with http://192.168.1.1/api/wireguard/client/get
But adding a new one or trying to set something always resulted in "failed"

Perhaps I was a bit unclear, I'm not suggesting you should try and install anything / run the commands listed on OPNsense, but rather on any available Linux distribution (if none at hand use a WM, Live disc etc.) to obtain the configuration which can then be used in OPNsense.

It's stated in the blog that

We will soon provide tutorials on how to set it up on any third-party WireGuard client.

So ideally you could just ask NordVPN for the config, but from what I've read they haven't been that forthcoming regarding this issue.

I did however find a forum post with instructions on how to use the  NordVPN Linux client to obtain the configuration
https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27

Out of interest, do you know why this rule is functioning correctly with the direction set to 'in'? I can't get my head round that. There's no traffic coming into LAN, it's already within it... or is this a total misconception?

From the firewalls point of view everything is on the outside, ie. packets from LAN must come IN before going OUT on the WAN side.

Haven't played with it myself, but looks like there's a os-firewall plugin "Firewall API supplemental package" and looking at the docs ( https://docs.opnsense.org/development/api/plugins/firewall.html ) it seems that there's a command for toggling a rule.

My current low budget solution is a used i3 NUC (/w single Gbit NIC) & 8-port managed switch that does VLANs, set me back 120 euros in total.

Network is split into 4 VLANs (home, work, iot, guest) and since they are isolated and the uplink is only 200/20 Mbit, it works fine for my use case. I'm not saturating the single NIC and haven't had any issues so far, but as always YMMV.

If I understood your configuration correctly, then all you need is a allow any rule on OPT1 with "VPN_DHCP" (assuming this is the VPN gateway) set as your gateway and an outbound NAT rule for the VPN interface with "OPT1 network" as source and "Interface address" as translation/target.

Are the hosts in the alias also in the 10.0.1.0/24 range? If so, try moving the VPNtraffic rules in outbound NAT before the 10.0.1.0/24 entries.