OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of besecur3man »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - besecur3man

Pages: [1]
1
21.1 Legacy Series / Re: Wireguard with multiwan
« on: March 22, 2021, 03:06:23 pm »
Quote from: mimugmail on March 18, 2021, 03:13:59 pm
It wont work this way. The interface WG creates doesn't support these features which are known to work in OpenVPN etc. The only way is:

- All users use WAN1 as default
- Only if WAN1 fails they have to use WAN2
- When WAN1 is back, all users get kicked and should switch to WAN1

It wont work in a different way ...

Will a site-to-site setup with WireGuard work with multiwan? Or is that also not possible at this time?

The setup I am looking for is as follows:

Remote office: OPNSense firewall with 2 WANs load balanced
Cloud VPC: Debian host running WireGuard

Desired behavior: Remote office OPNSense establishes site-to-site VPN tunnels with the WireGuard instance in the cloud VPC using both WANs, and then traffic intended for the VPC network is load balanced across both tunnels.

2
21.1 Legacy Series / Re: Wireguard with multiwan
« on: March 18, 2021, 03:45:45 pm »
Understood, thank you for clarifying that. That answers my question.

Seems to me, out of the box, WireGuard is better suited for more static, tightly controlled use cases such as site-to-site tunnels, as opposed to dynamic less controlled environments such as road warrior setups and/or BYODs, etc.

3
21.1 Legacy Series / Re: Wireguard with multiwan
« on: March 18, 2021, 12:48:36 pm »
Thank you for your response. I don't mind the two profiles on the client side, in fact that is pretty much all I hoped to accomplish.

The issue I am having is that when remote peers connect using WAN2, the connections fail, since all return traffic is set to exit from WAN1 which is the default gateway. And I can't seem to figure out how to tell OPNSense to send traffic back out of the WAN interface it came in from. I have 2 port forward rules under Firewall --> NAT --> Port Forward, one for each WAN interface. Under Firewall --> Rules --> WireGuard, I have one rule to allow traffic from the WireGuard peers to LAN. This rule has the Gateway set to "default".

I tried creating two explicit Firewall rules to allow traffic from the WireGuard peers to LAN, with the Gateway in each rule set to one of the WAN interfaces, but that stops the peers from connecting completely to either WAN.

I can't figure out how to get OPNSense to route the packets back to the WireGuard peers connected to WAN2 when WAN1 is the default gateway and is currently up.

4
21.1 Legacy Series / Authenticate OPNSense user from a remote script
« on: March 18, 2021, 12:24:18 pm »
I have an OPNSense instance configured for a LDAP access server +Time based One Time Password authentication.

Is it possible using the OPNSense API (or through some other means) to authenticate a user via OPNSense from a shell script running on say a host connected to the OPNSense's LAN interface? E.g. shell script needs to use the OPNSense API to modify some settings, and the user invoking the shell script must be authenticated in order to run the script.

5
21.1 Legacy Series / Wireguard with multiwan
« on: March 18, 2021, 11:05:37 am »
Hello,

I have a OPNSense setup with 2 WANs configured.

We currently run OpenVPN with OpenVPN server running on localhost on the OPNSense box. Clients can connect via either WAN to access hosts on the LAN interface and while it's not seamless failover, should one of the WANs be down/or go down, clients can connect/reconnect via the other WAN. And OpenVPN client, well at least on Linux, will retry connecting with each server IP, if multiple server IPs are configured.

I setup WireGuard on the OPNSense box using the tutorial at https://docs.opnsense.org/manual/how-tos/wireguard-client.html and I am able to connect and access the LAN side hosts, etc. However, it only works with the WAN which is currently the default gateway. If that WAN is down, then OPNSense switches the default gateway (gateway switching is enabled) and WireGuard peers can utilize the 2nd WAN to connect. However, as long as WAN1 is "up", peers cannot connect to WAN2. Well, actually the peers appear to be able to connect to WAN2 but traffic isn't properly received (a few bytes are received but no network services such as ping, ssh, etc. work).

Can anyone point me in the right direction of how to setup WireGuard on OPNSense such that peers can connect to either WAN interface regardless of the status of the other WAN interface?

Thank you.

6
20.1 Legacy Series / Re: Wireguard with MultiWAN setup
« on: March 16, 2021, 11:17:36 am »
Hi, I'm having trouble getting OPNSense multi wan configuration work with WireGuard.

I have a dual WAN OPNSense setup. And I have WireGuard setup and working fine, but only on the WAN that is the current default gateway. When the WAN which is the current default gateway is up, WireGuard peers can only establish connections over that WAN. Attempting to connect over the second WAN does not work. However, if the WAN with the default gateway is down, then WireGuard clients are able to connect using the second WAN.

Can you please clarify how you got it working? More specifically, were you able to get WireGuard to work such that peers can connect to either WAN when both WANs are up?

thanks -Jeremy

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2