Messages

1

Virtual private networks / Struggling with WG Selective Routing

« on: July 30, 2023, 02:04:40 pm »

Hi all,

So basically I'm trying to get WG setup with Mullvad VPN purely for a few devices.
As such I followed: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

But for whatever reason when this is setup all internet on my LAN ceases to work. I'm not 100% sure if its just DNS not working or actual packets being let out.

Disclaimer: I do have WG setup to allow remote access to home from my phone/laptop.
This works perfectly and I setup a NEW Interface and new Local/Endpoints for Mullvad.

I am not sure where I am going wrong with my setup that it kills my internet when Mullvad gets enabled.
I have double checked and triple checked I followed the guide.
I am using AdGuard DNS plugin, and have that setup.

So unless its something in my DNS setup that I need to tweak?
But not sure why it's affecting my entire network instead of just the new Mullvad VPN I setup.

Gateway is alive and up, and monitoring is enabled and its able to reach out, and I can see the handshake is successful.
My Server that is setup with Mullvad gets access and works fine and can see its connected to Mullvad.
But everything else is just dead.

2

Virtual private networks / Re: WG setup of IPv4 but phone keeps changing to IPv6

« on: October 17, 2022, 10:23:02 pm »

Next issue I think.
I have dual wan and setup road warrior but I cannot get a handshake.
Is there something specific I need to do for my setup?

3

Virtual private networks / Re: WG setup of IPv4 but phone keeps changing to IPv6

« on: October 17, 2022, 10:01:45 pm »

So there wouldnt be any work around for this?

4

Virtual private networks / WG setup of IPv4 but phone keeps changing to IPv6

« on: October 17, 2022, 09:43:18 pm »

Hey all,

So I'm trying to setup WG via my phone.
I have I think all internal setup done correctly.

When I put in the ipv4 address of my WAN, and connect it auto changes to a IPv6 address.

Is there a work around to point it to an ipv4 address?
I tried adding a wg.domain.com to my WAN ip via A Record and it still changed it to IPv6

5

Virtual private networks / Multi WAN with dual VPN

« on: April 14, 2022, 05:40:49 pm »

Hi all,

I'm wondering if there is a guide out there somewhere that I can follow.
My current setup is I'm running dual WAN with 2x ISP's and added to a GW group.

I would like to get a VPN service and route the traffic through both WAN's while maintaining my dual WAN setup as in so that I still get the dual GW load balance.

Can someone advise on a guide on this?

Also which VPN service?
I was looking at NordVPN or ProtonVPN. Any others I should consider?

6

Virtual private networks / Re: Unable to get WG to work and IPv6 Showing instead

« on: March 05, 2022, 07:12:52 pm »

Ok dang... So I need to use a domain name and set it to forward to the IPv4 address of my WAN right?

Yes. Domain name --> A record with IPv4 address --> NAT64 at the cellular provider will do its magic.

Is there a guide anywhere to accomplish this?
Fortunately I have a spare domain

This depends on how your spare domain is connected and if your contract for that domain includes authoritative DNS services and possibly a management panel to create your own entries.

But you really need to contact whomever your domain is registered with.

Kind regards,
Patrick

So I added an A record to a subdomain to my external WAN address.

Added my wg.domain.com:51820 to my config.
But my cell is still converting it to IPv6.

Did I miss a step somewhere?

7

Virtual private networks / Re: Unable to get WG to work and IPv6 Showing instead

« on: February 28, 2022, 02:26:33 pm »

If the phone is on an IPv6 only cellular network and the gateway is connected via IPv4, it is mandatory that the phone connects via a DNS name and not a literal IP address for NAT64 to work.

Lets pretend your gateway is at 1.2.3.4 and no IPv6 network and your phone has got only IPv6. You set up a DNS name of my.gateway.com pointing to 1.2.3.4.

Your phone asks the recursive nameserver of the cellular network for my.gateway.com with type AAAA.

The DNS server of your cellular provider sees that no AAAA record is available but an A record is with value 1.2.3.4.

It then translates that IPv4 address of 1.2.3.4 to the IPv6 address 64:ff9b::1.2.3.4 and sends that fake AAAA record back to your phone.

HTH
Patrick

Ok dang... So I need to use a domain name and set it to forward to the IPv4 address of my WAN right?
Is there a guide anywhere to accomplish this?

Fortunately I have a spare domain

8

Virtual private networks / Unable to get WG to work and IPv6 Showing instead

« on: February 28, 2022, 09:39:51 am »

Hi all,

So I tried to follow the Road Warrior guide.
Got it all created and all.
I do have Dual WAN first thing to note, but I just used the 1 WAN connection.
As such I used this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html
Note I had to setup DNS via DHCP for each interface

I have my WG client setup on my iPhone, it has the IPv4 external IP of that WAN connection.
So Endpoint: 212.69.45.xx:51820

I click connect, I can see transfer: 1.16 KiB received, 736 B sent increasing.
But if I look back at my client (iPhone) instead of the IPv4 endpoint address you see above its now showing a IPv6 address.
And I do not get a handshake.
Once it connects it goes from IPv4 WAN to IPv6 WAN even tho I do not have IPv6 setup on my OPNsense router.
And I cannot get it to handshake for the life of me.

9

Tutorials and FAQs / Re: Pihole correctly?

« on: February 22, 2022, 12:45:30 pm »

Ok so I think I have it sorted but I have a few questions?

Firstly my setup:
Dual WAN so followed https://docs.opnsense.org/manual/how-tos/multiwan.html
2x VLANs (Guest, IoT)
1x LAN

Now my current setup is using the above dual wan setup, BUT when you go to LAN and Firewall rules, you need to set the IP of OPNsense router for DNS to work.
I set the IP of my Pi-Hole for IoT and Guest and that works fine.
But not for LAN and I see why as Unbound can then not talk out to the world.
DNS via Pi-Hole does seem to work as Pi-hole is on the LAN as is are the rest of the devices and router can talk out to the world.

Is there a specific setup I should use for these rules?

Also I set my Pi-hole as the DNS server under IPv4 DHCP settings and its working there fine.

Can someone confirm this is right, and anything else I should do better?
On Pi-hole I set Upstream DNS Servers -> OPNsense router 192.168.100.1#53
Enabled Conditional forwarding -> 192.168.0.0/16 CIDR - 192.168.100.1 Router - localdomain Local domain name

10

Tutorials and FAQs / Re: Pihole correctly?

« on: February 19, 2022, 11:27:38 pm »

Yeah this is where I lose track.

I saw this https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/
Is this worth doing?

I feel like this guild is missing a bit tho.
Like how to setup OPNsense DNS and stuff.

11

Tutorials and FAQs / Pihole correctly?

« on: February 19, 2022, 10:42:37 pm »

Hi all.
I’m looking to run Pihole but looking online there is about 50 ways to configure it.

Does anyone have an up to date guide with the best/most correct way to set this up together?

12

21.7 Legacy Series / Re: Help with Helium Miner Port Forwarding

« on: December 08, 2021, 08:39:33 pm »

Can anyone help me with this?
I think I got the forward to work but with my dual WAN its causing issues with the reply and the miner is thinking that the NAT is closed.

Can someone help me port forward correctly with dual WAN?

13

21.7 Legacy Series / Re: Help with Helium Miner Port Forwarding

« on: December 07, 2021, 11:52:59 am »

So I managed to get it to work by changing the Port Forward from Destination port forward of 44158 to * or ANY.

This has pretty much opened up EVERY port under the sun to that device which isnt exactly what I want, but now when I do a port open check its showing as open and my HNT miner is syncing successfully.

I'd really like to close it back down and get it to only work on port 44158

14

21.7 Legacy Series / Help with Helium Miner Port Forwarding

« on: December 07, 2021, 09:07:43 am »

Hi all,

So I got a Helium HNT Bobcat miner.
It needs port 44158

So I went into FIREWALL: NAT: PORT FORWARD

I did a clone of this for my other WAN address (I run dual wan)

In FIREWALL: SETTINGS: ADVANCED
Under Network Address Translation
I ENABLED:
Reflection for port forwards
Reflection for 1:1
Automatic outbound NAT for Reflection

Under FIREWALL: NAT: OUTBOUND
I switched to Hybrid

Cloned this rule for the other WAN address too.

When I check on my miner it keeps saying:
    "10.0.0.240:44158": "closed/timeout",

Also when I scan my external IP with that specific port it says Timed-Out
Or closed , incoming traffic denied.

Can someone help me to get this working?

15

21.7 Legacy Series / Re: DNS over TLS not working?!

« on: November 25, 2021, 06:37:20 pm »

https://forum.opnsense.org/index.php?topic=24642.0 ?

Thanks makes sense now.