Messages

I am working on setting up a Wireguard server on a small VPS that my OPNsense box on my LAN will connect to so that my reverse proxy and email servers can be accessed without port forwarding and exposing my home IP.

I have the tunnel up and running and I can see the connection from both ends, I can ping the wg opnsense peer from the VPS just fine. I thought I had all the correct rules setup but something is clearly missing as I cannot ping any addresses on my LAN from the VPS.

To clarify, I don't want the Wireguard tunnel to have unfettered access to my entire LAN, my goal is for it to be treated as if it were basically a WAN interface. eg. I want to be able to forward only the ports I need, and allow access to only the LAN IP's that need to be accessed. Later on I plan to setup IPS and I would want it running on this interface. This tunnel is only for services exposed to the internet. I already have a separate vpn solution to access my entire LAN remotely if I need to. 

Below is all the info on how I set it all up. Since I couldn't find a single guide on doing this specifically with OPNsense I used multiple guides and did my best to fill in the gaps.

• https://www.youtube.com/watch?v=GXsvIXozECU
• https://docs.opnsense.org/manual/how-tos/wireguard-client.html
• https://github.com/mochman/Bypass_CGNAT/wiki/Digital-Ocean-(Manual-Installation)/

I have the wireGuard server setup using the official OPNsense docs, and everything works just fine except I cant access any of my own sites that sit behind my NGINX Proxy Manager when I am connected to the VPN.

I also have Adguard Home setup which then goes through unbound on OPNsense.

If I enable "NAT Reflection" I can access my local URLs from my LAN, but I still cant access then when I'm connected through WireGuard.

My Wireguard network is listed in the Access Lists for Unbound. And if I open the Adguard UI I can see normal DNS queries going through just fine.

I'd be happy to post any screenshots or other info, I just didnt want to flood my op with a ton of stuff that may not have been needed.

So the pfsense box I've been using for the last several years is starting to fail, I suspect a hardware issue. So I'm going to be building a new firewall soon and I'm giving serious thought to opensense.

There are a few must have things in order for me to be able to switch though, and I'm sure opensense can do them all, I just don't know how.

1. DNS over TLS, I have been using dns over tls since it launched with cloud flares 1.1.1.1 service. But I can't find any tutorials on setting it up with open sense.

2. I need to be able to import my Suricata settings, I have spent a LONG time tuning Suricata to remove false positives and I really do not want to start over again.

3. Sending only specific IPs through a VPN. I have PIA setup as a gateway on my pfsense box, and all I need to do is create a simple LAN rule to send specific Clients through the VPN tunnel instead of the WAN. I actually don't remember how I did this, and I cannot find a tut on how to do it in opensense.

4. PFblockerNG, Or alternative that can block ads, and block entire counties.

I'm honestly really hopeful that I can make the switch, but these things are must haves. Hope you guys can help out, your community seems to be much more active and friendly so fingers crossed. 😁

Im following this closely aswell, and this tutorial right here is the whole reason I went with OPNSense.