Messages

I am not sure where to submit the feature request: to

https://github.com/opnsense/plugins

or to

https://github.com/opnsense/core

?

[wg100]

I wonder if someone can give me a hint on this problem:

- I have added a few dozens of WG endpoints;
- each of them is for a single user;
- the user ids (which I already have and cannot easily change) contain characters like -, _,.
- endpoint name can only contain only letters and digits
- I give each user a unique number, e.g. user-A => wg100, user-B => wg101, etc.
- it works, but from the UI I cannot tell which endpoint corresponds to which user

So I wonder if it is possible add a description field to each endpoint.

Another approach is to remove chars which is not letter/digit from user-ids, and then use that stripped user-id as name for endpoint. So I would end up with names like wg0userA, wg0userB etc. There is a danger that after stripping non letter/digit chars, there might be some name collision which is hard to control.

You can open /conf/config.xml and insert the xml part manually without a restore.
The API for Wireguard is already here, you just need to read the docs how to use it.

thanks for the hint. So it seems that I can edit /conf/config.xml as needed, make sure that it's valid and then run
/usr/local/etc/rc.d/wireguard restart ?

You could add 2 or 3, then export the configuration, then try to understand the structure of the exported XML and edit that for re-import ...

yes that would be a workaround, thanks for the hint. I'd prefer to do partial restore for wireguard only, but it seems partial restore for WireGuard is not possible yet.

The xml fragment for a wg client seems fairly simple, so I am thinking of doing the following:

(1) export the entire config
(2) delete all existing wg endpoints
(3) add all desired wg endpoints
(4) re-import the entire config

When I add/remove an endpoint I can simply repeat the above procedure and have my wg server config correct. Does it seem reasonable/doable?

No, you could write a script calling the needed API calls, but there is none available yet

so I guess my best bet is to wait till the API is avail.? Do you know when it might be supported (if at all)?

Hello,

I am new to WireGuard. I have followed the official docs and could connect 1 client to WireGuard on my opnsense server. Now I would like to add a few dozens of endpoints for my users -- each user gets his/her own wg config. Can I do that via command line? Can I simply edit /usr/local/etc/wireguard/wg0.conf and then issue /usr/local/etc/rc.d/wireguard restart?

If someone had the same problem as I did, the solution is:

Firewall-Settings/Advanced/Static route filtering   

check "Bypass firewall rules for traffic on the same interface"

" w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule""
w/dest or from?

dest = 192.168.40.0/24, which is another private net but not the same as net on LAN (= 192.168.30.0/24)

"Default allow LAN to any rule" ferers to trafic from LAN subnet, not anything arriving on LAN interface.
Add firewall LAN rule to allow trafic from 192.168.40/24 subnet to LAN subnet.

yes I also added a rule on iface LAN to allow everything from LAN iface but it didn't seem to get triggered. Same for the floating rule which all traffic in/out on iface LAN.

Traffic from LAN to WAN triggers the rule "Default allow LAN to any rule", but traffic to net 192.168.40.0/24 (which is LAN to LAN) doesn't seem to trigger that rule. Nor the 2 rules I added.

Perhaps the static route I added 192.168.40.0/24 -> int_router causes something so that the rules no longer apply to packets to net 192.168.40.0/24 .

Hello,

I have a very simple OPNsense setup with 1 iface WAN and 1 iface LAN 192.168.30.1/24. I have done just minimal configuration to get it work (= setting IPs, networks, DNS).

Now I am trying to achieve this: I would like to reroute packets  to net 192.168.40.0/24 to another host in LAN, IP = 192.168.30.5

I did the following:
- add a gateway int_router =  192.168.30.5, iface LAN
- add a route 192.168.40.0/24 -> int_router

However I get stuck at this point: packets w/ dest = 192.168.40.0/24 are blocked by the automatically generated rule "Default deny rule".

It seems there is already a default rule on LAN iface: "Default allow LAN to any rule", but this rule doesn't work as expected.

I also tried to add a floating rule which allows traffic on LAN iface, both in/out direction, but it doesn't work either.


Any hint what can I try?

Regards,
Tony

I am trying to setup OpenVPN using the certificates generated by my own PKI. I did the following:

- setup OpenVPN following the official docs to make sure it works using OPNsense own root CA

- use my root CA to create an intermediate CA (on another host)

- use the intermediate CA to generate certificates (1 for server + 1 for client) for OpenVPN

- copy the certs to OPNsense and import them using https://github.com/pluspol-interactive/opnsense-import-certificate

- create a user in OPNsense

- link the client cert to the user

- openvpn > Client export to get the client files. But I get stuck here: the user I created doesn't show in the list to be exported.

Perhaps I don't need the client cert on OPNsense, however I wanted to export the client from OPNsense to ensure the config is correct.

What am I missing here? Any hint/tip would be much appreciated.

[Firewall > Rules > openvpn]

Hi,

I am new to OPNsense and I hope this is the right place to post my question:

I have an OPNsense instance with multi-wan and OpenVPN. I have followed the excellent docs at https://docs.opnsense.org/manual/how-tos/multiwan.html and things seem to work fine, except this issue: the outgoing traffic always goes through the default gateway, which is picked by OPNsense randomly (?) at boot time.

I have already added the gateway group to Firewall > Rules > openvpn iface as the gateway for traffic coming into openvpn iface. According to the docs it seems that it should work but probably I am still missing some steps. I wonder if you could give me a hint how to process further:

(1) Is load-balancing outgoing OpenVPN traffic supported by OPNsense (I think it is, just double checking)
(2) What I could do to debug the problem? I am familiar with linux cli but I am willing to learn freebsd commands if needed.

thanks in advance for any hint.

Edit: the relevant policy based routing part looks as follows (output from pfctl, with IPs slightly changed). Yes pppoe1 and pppoe2 have the same gateway, it's not a mistake.

Code Select Expand


pass in quick on openvpn route-to { (pppoe2 10.20.30.1), (pppoe1 10.20.30.1), (em1 123.123.123.123 } round-robin sticky-address inet from (openvpn:network) to any flags S/SA keep state label "8ba5d5e9091ff2cd49e87a66cc467e3b"