Messages

Okay, thanks for the quick reply.

I got it working following that github comment.

I can't get port forwarding to work on my Transmission container. The container is selectively routed to Mullvad using wireguard.

I have set up port forwarding on Mullvad's website. Wireguard test on the container is okay, but port forwarding test fails.

Code Select Expand

$ docker exec -it transmission bash
root@b7212cb4e31a:/# curl https://ipv4.am.i.mullvad.net/port/54853
{"ip":"185.204.*:*","port":54853,"reachable":false}
root@b7212cb4e31a:/# curl https://am.i.mullvad.net/connected
You are connected to Mullvad (server fi1-wireguard). Your IP address is 185.204.*.*

Do I have to configure port forwarding also on opnsense?

Opnsense version is 21.7.6.

Transmission config is attached.

These are the port mappings on docker-compose for transmission:

Code Select Expand


ports:
      - 9091:9091
      - 54853:54853
      - 54853:54853/udp


Hi, I would like to learn more about networking to get more out of my opnsense. Learning is one reason why I have opnsense in the first place.

I have read Todd Lammle's CCNA book a few years back, which I liked.

Can you give me some resources from which I can learn more about networking topics that relate to running opnsense in a home network?

I would like learn more about how to configure wireguard on opnsense for different scenarios, set firewall rules, configure NAT, gateways, route traffic from one host to wireguard. And other stuff what might be useful in a home setup.

Thank you Greelan, now it seems to be working!  :D

• created an alias for my phone's VPN network
• created a firewall rule for WG1 interface. There i used this new alias as source
• created a rule on the WAN interface allowing UDP packets from any source destined to the WAN IP on port 51821

Attached are screenshots of these rules.

Here are some screenshots.

192.168.1.1 is my router's LAN IP.

Try manually specifying the tunnel network as the source in the firewall rule, rather than using "WireGuard net". When I set mine up, I found that alias didn't work. It may have been because I didn't bother assigning an interface to the wg device. Or there could be a bug so that it affects you too.

Failing that, suggest you post screenshots of the relevant settings pages, sanitised as necessary. Easier to diagnose any issues.

I have already assigned wg1 to interface WG1. So i cannot specify it manually.

Here's my current wg config. I have setup port 51821 for my phone's connection.

Code Select Expand

# wg show
interface: wg0
  public key: bhl3WDz2EdVsuPuT9sEM9Rnh2RDjc+mbzEz9F5AeRXo=
  private key: (hidden)
  listening port: 51820

peer: p+tDrxzGx4R9xG0kw6i4K8wYWE8fqNdqSJvB30MgWRY=
  endpoint: 91.233.116.229:1443
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 13 seconds ago
  transfer: 883.44 KiB received, 930.11 KiB sent
  persistent keepalive: every 25 seconds

interface: wg1
  public key: Bqx05LwlkAgrDVfvcxOGPRDOBxk18iG6wGsr0kDerHg=
  private key: (hidden)
  listening port: 51821

peer: j1l15iWrXORJGdbjLZyInfLbYSHmWUS3mEU6KS5Yai4=
  allowed ips: 10.10.10.2/32

And handshakes:

Code Select Expand

wg0 p+tDrxzGx4R9xG0kw6i4K8wYWE8fqNdqSJvB30MgWRY= 1608057665
wg1 j1l15iWrXORJGdbjLZyInfLbYSHmWUS3mEU6KS5Yai4= 0

[step 2b]

OK, now i see both wg0 and wg1 instances under Wireguard --> List cofiguration. The trick was to reboot my router.

I have set wg port 51821 for my phone wg settings under wireguard --> local. I have used this port for firewall --> nat --> "port forward" configuration. For both "Destination port range" and "Redirect target port" settings. Otherwise these settings follow this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-client.html step 2b.

Under Firewall --> Rules --> WireGuard i have followed above tutorial and used "WireGuard net" as source.

There's a hint on that tutorial that says:

Rules defined under Firewall ‣ Rules ‣ WireGuard take precedence over rules individually configured for each tunnel.

So sounds like this should work, even if i'm not using wg1 as the source.

However, i can't connect to my lan.

I have tried fiddling with wg1 interface in different places but haven't got connection working.

And i have assigned and enabled wg1 interface.

I'm trying to setup wireguard access from my phone to my lan. I got it working previously when it was the only wireguard server on opnsense. I followed this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-client.html.

I then removed to it to setup wireguard connection to Torguard server: https://forum.opnsense.org/index.php?topic=20403.0.

Maybe it's because now there are two wireguard interfaces: wg0 and wg1. wg0 is used by my torguard vpn and wg1 is this new one for my phone. When i check Wireguard --> List cofiguration, there is only wg0, which i use to connect my NAS to Torguard vpn.

Should the wg1 interface be used in firewall rules somehow?  :o

Thanks, i think it's working now  :D! Only traffic from my NAS is going through wireguard.

OK, now I'm trying this solution: "I think maybe one possibility could be to route all NAS traffic that's going out through wireguard on opnsense. And remove openvpn on NAS. Is this possible?"

I'm using Torguard and now all my traffic is going through wireguard. But i would like to route only a single host through wireguard. How could this be done?

I followed this tutorial to setup wireguard: https://listed.to/@lissy93/18842/how-to-mullvad-vpn-using-wireguard-on-opnsense.

I'm a hobbyist and learning networking with opnsense.

I followed road warrior setup instructions and i can access my LAN devices fine, except my NAS. My NAS has two network interfaces configured. One of them is openvpn. When i disable that openvpn interface, i can access it just fine.

So how could i configure my systems to access my NAS?

I think maybe one possibility could be to route all NAS traffic that's going out through wireguard on opnsense. And remove openvpn on NAS. Is this possible?