Messages

Same requirements and thinking here...

The OPNsense hardware offers are nice too, however a bit too expensive for me... https://shop.opnsense.com/product-categorie/hardware-appliances/
(And SFP+ is covered too...)

Supermicro has the E200 and E300 series which are by default noisy, can be silenced with Noctua fans though.

CPU wise an Atom might like 3758 might not be a bad choice too. Can be bought second hand regularly...

It's quite difficult to find something halfway between a APU2 and the real server/enterprise stuff...

Thanks for the feedback. I definitely won't pretend that I did perfect testing. However I repeated testing a few times with similar results.
As soon as one endpoint was on OPNsense, it got slow. Will try again in the next days. Same HW/VM settings.

I made quite some testing. And OPNsense Wireguard with OPNsense Wireguard is as fast/slow as OpenVPN for me. A VM on Ubuntu connected to Ubuntu Wireguard on a APU2 or other barebone is 5-6 times faster. Same HW for both OPNSense and Ubuntu.
Might be the BSD implementation of Wireguard.

I couldn't get the VM scenario stable, so staying on OpenVPN for now unfortunately.

Solved it. Created a firewall rule on LAN allowing all to all, setting it as first rule.

Now it's way slower than using the Debian Wireguard VM I used up to now. Different topic.

Thanks for all your tips!

Maurice, that was a good one! I created a manual gateway and configured it on LAN.

Unfortunately still not working. :-(

I got another idea: how does Wireguard know what interface to listen to? I only got a LAN interface on OPNSense now...

Thanks for any hints!

Chris

Interestingly, I can't find any automatically created NAT rules in OPNSense after reboot (and assigning an interface to wg0). Should there be one?

Thanks.

Hello keropiko,

Thanks for your quick response. I just assigned a (new) interface to wg0, and created a pass rule on that interface. I haven't configured the interface (except "enabling" it), do I need that?

Hasn't changed anything unfortunately, after reboot same story.

For site-to-site Wireguard VPNs, do I need the interface too?

Thanks for your help.

Regards,

Chris

Dear all,

Been trying to get this working for some time now, however don't know what to do anymore. So appreciate any helps/hints where to look...

(Long message...)

I'm trying to make OPNsense work as a VPN gateway behind my pfSense, for Wireguard roadwarrior access (later also site-to-site Wireguard VPN).
I'd like to switch to OPNSense completely in a later stage, however will need some time for the change.

Environment/basics
- pfSense 2.4.4p3 as firewall/router (LAN address 10.0.1.1, LAN net 10.0.1.0/24)
- OPNSense 20.1.1 as VPN gateway (LAN address 10.0.1.2/24)
- Wireguard VPN tunnel: 10.0.230.0 (server 10.0.230.1/24, client 10.0.230.2/24)
- Both pfSense and OPNSense running as VMs on Proxmox (connected to same LAN)

pfSense has a DynDNS name (let's call it "x.dyndns.com") and the following config for the OPNSense VPN gateway:
- Static route (Destination network 10.0.230.0/24, Gateway "Wireguard_VPN - 10.0.1.2")
- Gateway "Wireguard_VPN" (Interface LAN, Gateway 10.0.1.2)
- NAT (Interface WAN, Protocol UDP, Destination WAN address, Destination port range 51830 to 51830, Redirect target IP 10.0.1.2, Redirect target port 51830, NAT reflection "Use system default")
- Rules (created by NAT, Interface WAN, Source any, Destination "Single host or alias" 10.0.1.2, Destination port 51830)

Wireguard VPN Gateway configuration
- One interface, LAN, static IPv4 10.0.1.2, IPv4 Upstream Gateway "Auto-detect")
- Firewall rules on "Wireguard": pass all
- Wireguard enabled
- Wireguard config (according to "List Configuration"):

Code Select Expand

interface: wg0
  public key: (pubkeyS)
  private key: (hidden)
  listening port: 51830

peer: (pubkeyC)
  allowed ips: 10.0.230.2/32


Wireguard client config (Mac OS Catalina, official Wireguard client):

Code Select Expand

[Interface]
PrivateKey = (privkeyC)
Address = 10.0.230.2/24
DNS = 10.0.1.1

[Peer]
PublicKey = (pubkeyS)
AllowedIPs = 10.0.1.0/24, 10.0.230.0/24
Endpoint = x.dyndns.com:51830

So the client can't connect (it's sending data, but there's no "Latest handshake" or "Data received", just "Data sent"), I can't access any systems on the (pfSense) LAN.

I tried an Outbound NAT rule for Wireguard on OPNSense, not sure if it's needed, however hasn't helped.

Interestingly I got a Debian VM with Wireguard set up, this one works fine for the client (rules on pfSense setup up exactly the same way for Debian Wireguard as for OPNSense Wireguard, except Wireguard server port and IP of course).

Apologies for the long email, I try to provide all information upfront.

Something I missed? Anyone got a hint/tip where I can start looking? Happy to provide more information.

Thanks alot.