Messages

Hi,

I've asked this question before but I didn't really get to a working solution.
https://forum.opnsense.org/index.php?topic=20360

Perhaps someone can help with the current status of wireguard in Opnsense.

Browser: 7.7.7.7
VPS eth0: 9.9.9.9  (outside IP address)
VPS wg0: 192.168.1.1
Opnsense wg0: 192.168.1.2 (gateway configured to be 192.168.1.254 and that works fine)
Opnsense eth0: 192.168.0.254
Local PC eth0: 192.168.0.1

On my webserver I see source IP address: 192.168.1.1 while I'd want to see the actual IP address that connected to my VPS https://9.9.9.9.


What I've tried so far:

iptables -t nat -I PREROUTING 1 -p tcp --dport 443-j DNAT --to-destination 192.168.1.2:443
iptables -t nat -A POSTROUTING -j MASQUERADE

The -j MASQUERADE causes the translation I think but I don't know how to get it working without it.

iptables -I PREROUTING 1 -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD 1 -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT


---
On opnsense: Wireguard  it's setup like https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#wireguard-selective-routing-to-external-vpn-provider
which means that my local PC will go over the wireguard connection for the 443 port (tried that, and that works fine)

---

Package capture:
interface: wg0   7.7.7.7 => 192.168.1.2
interface: lan 7.7.7.7 => 192.168.0.1
interface: lan 192.168.0.1 => 7.7.7.7
interface: wg0  nothing..
interface: wan 192.168.1.2 => 7.7.7.7  (wrong!)

Firewall:
rule:  lan outgoing source port 443  use wg0.   (if I set destination port 443 then all my https traffic from this local pc goes over wg0 which works fine! but now I want to reply to an incoming request on 443 and reply to that via that route)
nat outbound: lan outgoing use wg0.

Also tried with OpenVPN
OPNsense hosts OpenVPN server.
VPS => OPNsense.

Ping between networks works fine. Portforward from VPS => webserver and it goes into the void. I dont even see any traffic when trying to capture the packets.

When doing MASQUERADE on the VPS server it works again, but showing the internal IP address from the OpenVPN client.

Yes the MASQUERADE translates it (sorry added it in my previous message but that was not correct). Removed that.

I'm not ver familiar with the OpenVPN server hosting on the VPS. VPS must be the host as this has a static IP address while my internet has a dynamic one. Can you recommend any how to guide?

I also did not know the OPNsense wireguard implementation has many issues.. I checked the documentation and that seemed all valid/clear.

The webserver 192.168.1.1 has 192.168.1.254 (OPNsense) as gateway.

Did the capture again, and see what's happening.
It's, like you said, replying over the WAN address.

Browser => VPS => OPNsense => webserver
Browser <= WAN <= OPNsense <= webserver

Looks like OPNsense did not track over which interface the request came and just always replies via the standard route over WAN.

Ok, what you're saying makes sense due to the gateway it chooses to route traffic back (WAN). Hence my idea was to create a rule that would override the gateway for this specific port for this ip address.

On the VPS the portforward is done via;
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:25


Then on OPNsense:
"Disable reply-to": unchecked.  I only see 1 box - but all boxes in the UI in that section (Miscellaneous) are unchecked.
"Network Address Translation":  only "Automatic outbound NAT for Reflection" is checked.

Interfaces>Diagnostics>Packet Capture>start capture for port 80, host address 192.168.1.1 interface: wireguard
Result packages:
Source: internet ip address of the HTTP request (correct!)
Destination: 192.168.3.2 (Wireguard interface on OPNsense).
and 2 re-transmissions of the package.

This seems fine.. I've also tried  VPS port forward to OPNsense port forward to webserver. Same result..

Outbound NAT (also tried adding a rule here...) Hybrid

Interface LAN source 192.168.1.1 port 80/443 destination *
Translation/target wireguard interface address

-
WG
OPNsense (endpoint) allowed ips 0.0.0.0/0
VPS: allowed ips 192.168.3.0/24, 192.168.1.0/24

On a sidenote: I've added the wireguard interface and a gateway (192.168.3.1) + also added manual route to routing table 192.168.3.1/32 use wireguard interface.

[VPS]

Hi,

I'm having a difficulty understanding how to setup the following with OPNsense.

I've a VPS (lets say it has IP: 1.1.1.1 public). On this VPS I run wireguard (192.168.3.1 ).
I've an OPNsense instance running on my local network (hyper-v, wan, lan, vlans, tunnels etc). One of the vpn tunnels is via wireguard to this VPS. OPNsense has ip 192.168.3.2.

I want to host a webserver on my local LAN (192.168.1.1). This webserver has OPNsense as default gateway. I wish to route all HTTP/HTTPS traffic incoming on 1.1.1.1 to this webserver.
Easy done with port forwarding however, now the source IP address for incoming HTTP/HTTPS requests is actually the IP of the wireguard tunnel ( 192.168.3.1 ).
I've tried adding a floating rule to say outgoing HTTP/HTTPS traffic override the gateway to use the wireguard tunnel but that doesn't seem to help.

[Internet(1.1.1.1)]VPS[Wireguard(192.168.3.1)] => [Wireguard(192.168.3.2)]OPNsense[LAN(192.168.1.254)] => [HTTP/HTTPS(192.168.1.1)]Webserver

Hi,

I've had PFsense for a long time and recently switched over to OPNsense. I've never had problems with this on the PFsense firewall hence asking here.

Network:
- internet network (eg; 192.168.1.0)
- network (eg; 10.0.0.0)
- sonos on vlan 100 (eg; 10.0.100.0)


Machine running
- windows server 2019 - hyper-v
- virtual machine = OPNSense (all network => internet & network => vlan go through firewall)
- virtual network that is configured to pass on all vlans & trunk

Problem I'm having:
I want the sonos to be available from the default network and sonos to be able to connect to internet. Sonos is able to connect to internet and when I put my laptop on the wifi that hosts the vlan100 I can control sonos.
When I connect to the network (10.0.0.0) I'm not able to see the sonos anymore. It's not reachable at all. However, I can ping the sonos device directly from the network.

On PFsense I had a package installed http://avahi.org/ and this all worked fine, from the network to sonos vlan.
On OPNsense it fails somehow.

Package:
os-mdns-repeater (installed)   1.0

Configuration:
Enabled = Yes
Listen interfaces = LAN (10.0.0.0) & SONOS (vlan 10.0.100.0)

To add to this;
1 mobile phone running android (samsung s10) is able to use the sonos APP and connect to the sonos devices. None of the other laptops/phones are. :o

Anyone a slight idea what I can do to figure out what's going wrong here?

Thanks both, really helpful!

So I should use certificates and 14+ is good enough.  (If available later on, I'll use 30)

PSK

Websites I read;
https://www.keylength.com/en/8/
https://eprint.iacr.org/2016/995.pdf
https://security.stackexchange.com/questions/171418/diffie-hellman-group-matching-to-ipsec-encryption-algorithm

I see that the 14 is recommended since 2003. We're 15 years further now. I don't believe this can still be the case.

Hello,

I'm not very much into the 'what is secure and what not' however I noticed that OPNSense has great features and looks better than PfSense - I miss some DH groups.

I believe OPNSense does not support:
- 28 (brainpool ecp256)
- 29 (brainpool ecp384)
- 30 (brainpool ecp512)
The one's that are lower are not secure is what I've read... this is  the only reason I cannot go to OPNSense I believe. How hard is it to add these??  I've a VPN tunnel between two offices of my company and there's a lot of data going over the VPN hence I rather have the most secure DH group.

If anyone can teach me (that I'm wrong) or help out to get the DH-group 30 in OPNSense, that would be great!