"
WOW. Ok, I want a refund. Literally about 12-16hrs of my life because I'd set the tunnel address in 'local' as a /32 and not a /24. I hope this helps any future idiots :o
Works now. :massive-facepalm:
Works now. :massive-facepalm:
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
20.1 Legacy Series / Re: Wireguard Roadwarrior DNS configuration
July 23, 2020, 03:41:59 PM
I think already did?
#3
20.1 Legacy Series / Re: Wireguard Roadwarrior DNS configuration
July 22, 2020, 10:00:31 PM
Like this?
Didn't seem to make any difference.
Didn't seem to make any difference.
#4
20.1 Legacy Series / Re: Wireguard Roadwarrior DNS configuration
July 22, 2020, 03:38:04 AMQuote from: mimugmail on July 21, 2020, 07:39:50 AM
I'd guess it's something MTU/MSS related
Based on?
#5
20.1 Legacy Series / Re: Wireguard Roadwarrior DNS configuration
July 21, 2020, 04:46:54 AM
I thought I'd gotten somewhere when I found [this bug](https://github.com/opnsense/core/issues/4142). I manually added my client (mooncake) to the Unbound ACL and now dig is not suffering from the recursive denial previously. DNS works as you'd expect with dig but no useful traffic passes.
I've monitored with tcpdump and see the traffic on port 53 passing OK. Monitoring port 443 tons and tons scrolls by when I attempt to load a webpage whilst connected but it never loads.
Once I get this working I will contribute documentation to the project but I'm pretty close to throwing in the towel at this point.
I'm positive that every setting and firewall rule matches the collection of guides I've followed. Can anyone help please?
I've monitored with tcpdump and see the traffic on port 53 passing OK. Monitoring port 443 tons and tons scrolls by when I attempt to load a webpage whilst connected but it never loads.
Code Select
alex@mooncake ~ % dig google.com
; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23851
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 295 IN A 216.58.210.46
;; Query time: 115 msec
;; SERVER: 192.168.75.254#53(192.168.75.254)
;; WHEN: Mon Jul 20 22:41:42 EDT 2020
;; MSG SIZE rcvd: 55
alex@mooncake ~ % ping google.com
PING google.com (216.58.210.46): 56 data bytes
Request timeout for icmp_seq 0
Once I get this working I will contribute documentation to the project but I'm pretty close to throwing in the towel at this point.
I'm positive that every setting and firewall rule matches the collection of guides I've followed. Can anyone help please?
#6
20.1 Legacy Series / Wireguard Roadwarrior DNS configuration
July 20, 2020, 05:54:45 PM
I recently switched from pf to opn and am very glad I did. I was hoping for some assistance with configuring a remote firewall I loaded with opn this weekend.
The wireguard tunnel is configured just fine. In fact, the only way I can administer the remote firewall is using the WG tunnel, so it works. The snag I'm running into is that no DNS is working. Here are some key IPs:
* Firewall - 192.168.75.254 (Remote LAN IP), 10.42.13.1 (WG tunnel IP)
The firewall serves as it's own DNS server using Unbound. I can verify this with dig on the firewall itself via SSH. Most guides seem to rely on external Pihole or other servers, I'm wondering if I'm maybe missing a rule to allow DNS to traverse from the wg0 net? I can ping 192.168.75.254 from the client. Running low on ideas how to troubleshoot it.
As you can see, DNS in being fulfilled by 127.0.0.1. I experimented with putting the LAN IP in System -> Settings -> General but it behaved the same.
The issue I have is that when connected to the firewall via the WG tunnel dig shows 'WARNING: recursion requested but not available'. Here's the full output (run from my laptop connected via the tunnel)
The DNS server 192.168.75.254 is being provided by the WG tunnel to the client. Putting 1.1.1.1 in makes no difference either. LAN hosts are reachable via IP but not via DNS.
This makes me think I've probably screwed up rules somewhere, here's screenshots of the whole thing (wish there was a better way to share configs than screenshots!).
screenshots - https://imgur.com/a/SdyDUIS
Any help would be greatly appreciated. I hope I've missed a simple setting somewhere obvious. Thanks in advance.
The wireguard tunnel is configured just fine. In fact, the only way I can administer the remote firewall is using the WG tunnel, so it works. The snag I'm running into is that no DNS is working. Here are some key IPs:
* Firewall - 192.168.75.254 (Remote LAN IP), 10.42.13.1 (WG tunnel IP)
The firewall serves as it's own DNS server using Unbound. I can verify this with dig on the firewall itself via SSH. Most guides seem to rely on external Pihole or other servers, I'm wondering if I'm maybe missing a rule to allow DNS to traverse from the wg0 net? I can ping 192.168.75.254 from the client. Running low on ideas how to troubleshoot it.
Code Select
[user@OPNsense ~]$ dig google.com
; <<>> DiG 9.16.4 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52031
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 191 IN A 216.58.198.174
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 20 15:42:15 GMT 2020
;; MSG SIZE rcvd: 55
As you can see, DNS in being fulfilled by 127.0.0.1. I experimented with putting the LAN IP in System -> Settings -> General but it behaved the same.
The issue I have is that when connected to the firewall via the WG tunnel dig shows 'WARNING: recursion requested but not available'. Here's the full output (run from my laptop connected via the tunnel)
Code Select
alex@mooncake ~ % dig google.com
; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8748
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 122 msec
;; SERVER: 192.168.75.254#53(192.168.75.254)
;; WHEN: Mon Jul 20 11:44:31 EDT 2020
;; MSG SIZE rcvd: 12
The DNS server 192.168.75.254 is being provided by the WG tunnel to the client. Putting 1.1.1.1 in makes no difference either. LAN hosts are reachable via IP but not via DNS.
This makes me think I've probably screwed up rules somewhere, here's screenshots of the whole thing (wish there was a better way to share configs than screenshots!).
screenshots - https://imgur.com/a/SdyDUIS
Any help would be greatly appreciated. I hope I've missed a simple setting somewhere obvious. Thanks in advance.
Pages1
