Messages

I thnk it's the way you have your tunnels setup based on info provided, this is my site to site config for Wireguard, working well...

VPN Destination Server
Tunnel Address:   10.8.0.1/24

VPN Client 1
Tunnel Address:   10.8.0.2/32

VPN Client 2
Tunnel Address:   10.8.0.3/32

Notice how the subnet is /32 on the clients meaning they only get 10.8.0.2 or whatever you list there.

In my case my home LAN 10.0.0.0/24 is on Client 1, so I have the following in Allowed IP's...

Endpoint on VPN Server for Client 1: 10.8.0.2/32 + 10.0.0.0/24
-This allows both the Client VPN IP and the Home Network connected too it to be routed.

Endpoint on VPN Server for Cleint 2: 10.8.0.3/32
-This is a mobile and doesn't need to route any additional networks but does need it's own VPN Client IP.

Hope this helps.

Oh, you may also need to manually create Gateways, so for example my home router (Client 1) has the following Gateway...

10.8.0.2
Which is that firewall's VPN IP, you then need to make sure your firewall \ nat rules are setup correctly.

*Mind you I just realised you are using OVPN and not WireGuard so this may not apply quite so well sorry.

Solved, went away, watched the new Ghostbuster's movie, came back with a fresh head and found that I had Disabled a custom routing rule in the VPN Server (YAY for me)!

Anyway all back to normal.

P.S. Before anyone suggests it, I have gone through and nuked all extra Firewall and NAT rules and rebooted to confirm it's working and close any extra wholes! :)

Hey all and belated HNY! :)

I need a little help I think as I am going in circles and I don't know what the problem is.

I have 2x OPNSense Firewalls, one at Home the other on in the Cloud, I have a WireGuard VPN configured to link the two together and my mobile connects through the Cloud VPN all the time.

I had it all working fine and very reliable I was delighted, then a few months ago after a hardware failure I ended up reconfiguring my home OPNsense box and I since then I have never been able to get the VPN to route traffic too or from my LAN, though the VPN is up and working the Firewalls can ping each other fine!

I am 99.9% sure the problem is at Home as I don't think the VPS confiugration has changed since it last worked, however I have installed a few updates since it worked so I guess that cdould have had an impact if there were changes I was unaware about.

I have even tried adding a manual Route in my Firewall but from what I can tell my home box just does not forward the requests to the VPN Server.

All rules below are from my Home OPNsense box only as I am pretty sure this if the problem, however I will reply to this post with the VPN configuration if required.

Outbound NAT:
Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)
Interface    Source    Source Port    Destination    Destination Port    NAT Address    NAT Port    Static Port    Description    
      WAN    This Firewall    *    *    *    Interface address    *    NO         
      WAN    VPN net    *    *    *    Interface address    *    NO         

Firewall: Rules: VPN
        Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
   IN   IPv4 *    *    *    *    *    *    *       
   OUT   IPv4 *    *    *    *    *    *    *       

Firewall: Rules: :LAN
   IN   IPv4 *    VPN net    *    *    *    *    *       
   OUT   IPv4 *    *    *    VPN net    *    *    *       

I have also tried adding rules to the "Wireguard (Group)" but still no luck.

VPN Server IP
10.8.0.1
Home VPN Client IP
10.8.0.2

Both Firewall's can ping each other and my Desktop here on the LAN can ping the local OPNsense VPN Client IP (10.8.0.2) but cannot get a response from 10.8.0.1.

If I trace route it of course it stops at the first hop the local OPNsense box.

Also just to confirm, the VPN Configuration I am pretty sure if fine as it has not changed since is worked, I have all the right Allowed IP's etc.

Local Allowed IP:
10.8.0.1/32 (VPS Server)
10.10.0.1/24 (Another Remote Network)
10.50.0.1/24 (Another Remote Network)

Remtote Allowed IP:
10.8.0.2/32 (Local OPNsense VPN Client)
10.0.0.0/24 (Home LAN)

Thanks

Stuart.

No but I am not sure how I would do that in the NGINX Config either, there is no proxy pass field per say...

Any idea how I would go about doing that in the OPNsense config I don't have a code block like that. I tried using /admin in Path Prefix which seemed logical but it didn't work.



Thanks

Hey guys,

I have NGNIX running a reverse proxy for my Pi-Hole amongst other things but it's a good example, Pi-Hole listens on... /admin

This annoys my OCD lol, and I wanted to know if I can use the URL Rewrite Function to effectively remove the need for the /admin, so instead of needing to use...

https://pi-hole.domain.com/admin

I would only need to use...

https://pi-hole.domain.com/

I know it's silly, pointless and almost an entire waste of time, but I like learning and playing but not really sure where to start with this one.

Thanks

I have resolved this too sweet everything is working thanks for reading anyone lol. ;)

This was a Firewall rule issue, I incorrectly assumed source * destination * would include "This Firewall".

It didn't I had to add a rule for this separately, I had 1 half of this in place when I was trying someone else already hence the receiving but not answering requests!

Thanks

I have yes but well to be honest got all confused at various stages due to complications with host provider and all sorts and well got ahead of myself I guess.

Only problem I seem to have now if out of the 2x OPNsense boxes only one of them will respond to DNS, I have no idea why, there is a rule in Unbound, VPN Traffic is set to allow any in \ out.

I can't test it on it's LAN as it's the cloud box, though it does have a LAN port configured and Unbound is running so that's not it. IDK what's going on with it.

Figured this out too, Outbound NAT, Interface "WireGuard" Source "VPN net" Address "VPN Address".

Thanks anyway.

Hey guys,

I have a Site to Site VPN up between two OPNsense boxes and my Mobile connected to one of them.

SITE A has both devices connected to it and can ping everything.

However both Site A & my Mobile cannot ping each other?!

I notice under Firewall after you have assigned an interface you have the one you added and the WireGuard one which gets created when the tunnel comes up.

I have for now added allow Any rules for everything both inbound and outbound but clients still cannot talk to each other is there something else I need to do?!

Thanks

Managed to resolve this, most of my problems were caused by a mis communication with the VPS providing leaving one of the interfaces as a Private only interface! :/

Ok seems I may have sorted it, it would appear I had the following problems tripping me up...

1. WireGuard only works on WAN from what I can figure out, so if you have a Single NIC Cloud Firewall you need to have the interface configured as WAN, I did originally but started playing after failing.

2. NAT Rules were indeed an issue I over complicated it and it didn't help.

3. This was my biggest issue and what just solved everything for me, I needed to use an extra FAKE LAN IP Range on the Endpoint for the Cloud Firewall or it just wouldn't connect as it had no networks to map.

Using 0.0.0.0/0 worked however I didn't want to pass all traffic through as there is no LAN range on that box I had to just make one up for WG configuration so it would connect.

I suspect here maybe a better way probably mapping 0.0.0.0/0 then using routing rules to prevent WAN traffic leaving the house for there.

Now to figure out why it doesn't forward WAN correctly for my mobile... oh the fun! ;)

This is a common theme of the connections (WAN IP, Ports & Keys Removed), notice how it's only B sent...

interface: wg0
  public key:
  private key: (hidden)
  listening port:

peer:
  endpoint:
  allowed ips: 10.8.0.3/32
  latest handshake: 45 seconds ago
  transfer: 29.86 KiB received, 220 B sent

peer:
  endpoint:
  allowed ips: 10.8.0.2/32, 10.0.0.0/24

I have Hybrid NAT with an Outbound rule for the WAN Interface for the Source WireGuard net and a Firewall Rule for WAN from Source WireGuard.net.

I have switched the interfaces back to WAN only as WG does not appear to listen \ look on LAN.

Thanks

So my next question is routing \ firewall rules, is there any good guides that explain the way OPNsense are thinking with these layout of some of these?

Not criticising it cure there is a good reason but having used Sonicwalls, Jupilers, Fortigates, Sophos, PFSense, Cisco and got knows what other number of firewalls over the years some of this just confuses me at this point, some of it is simple and will be easy to answer some I may need to be pointed in the directly of some documents or guides if possible please.

1. WireGuard configures it's own interfrace which appears in Firewall Rules when active, some say you need to create an interface assignment for this which you can only do once the VPN is up and I have done, but now I see 2x 'WireGuard' options under Firewall Rules, WTH?! Which one do I not need to create this assignment?

2. Firewall rules, Outbound, lets say LAN > WAN, I see none, yet my understanding was if there was no rule it was blocked, I expect to see a default allow any rule somewhere am I looking in the wrong place or does it just not exist in the OPNsense world?!

3. NAT Rules, just WTF these are so confusing to me lol, I have done NAT before I just find it really unclear the thinking, at time I have got the VPN saying it's connnected though I dispute that based on IP issues mentioned above but not actually working, traffic will flow one way more than the other and only very little bits of it, I suspect I need to NAT rule which I have read is needed but when I go to create one I am so confused.

I guess it's Outbound then it asks me which interface, well IDK as I can't figure out if this means the the interface it's monitoring to forward traffic or the destination interface? Also I have 2x Wireguards of course which confuses thing further lol.


Just need to wrap my head around some of it...

Thanks for reading \ trying anyway. :)

Hey guys,

New here only just started using OPNsense, really impressed however I am very confused and a bit stuck setting up my VPN's with WireGuard, I can get the endpoint to connect but not pass traffic properly, probably because of firewall \ nat rules which I am trying to figure out in OPNsense world, I have used many firewalls over the years mostly enterprise gear but still I look at a lot of the OPNsense menus at bemusement almost at the moment, just need to figure some things out but we'll come back to that...

I have got so utterly confused now due to conflicting posts around the internettymcwebby! ;/

So I'll start from the top of what I am trying to achieve.

SITE A:
Cloud Server with Single NIC running OPNsense 21.1.3_3
This is a Single NIC VPS running OPNsesne this will be the middle man for any traffic coming externally back into my home, any traffic over the VPN not for my house should be routed out over the VPS's internet connection.

This way my mobile traffic is always secure yet I always have a link home active too with minimal latency.

Currently this OPNsense has it's NIC set as LAN, I had it as WAN but kept losing access and was recovering from backups all the time so I have switched over for now.

*There is a firewall above this in the VPS control Panel so only the VPN port is available anyway (exception for all traffic from my house for now).

SITE B:
Home Address running OPNsense 21.1.3_3
10.0.0.0/24
+ another remote network from this 10.10.0.0/24

DEVICE 1-3:
Mobile, Tablet, Office Desktop.

Now for the purposes of making things simple lets focus on purely the SITE A <-> SITE B link please, once I know that is working I am sure I can figure out the rest.

So SITE A the VPS needs to route all traffic to 10.0.0.0/24 and 10.10.0.0/24 over the VPN then route everything else out over it's own internet connection (using itself as DNS on the VPN interface ideally, or LAN if the single port ramains as LAN not WAN.

The VPN Range will be 10.8.0.0/24




PROBLEMS:
The first problem I find is that in OPNsense people say the local tunnel addresses need to be...

SITE A:
10.8.0.1/24

SITE B:
10.8.0.2/24 or maybe 10.8.0.2/32?

Which to me makes sense you as saying this local adapter needs to be x.x.0.2 as the remote site is already x.x.0.1.

However if I use anything other than x.x.0.1/24 in the WireGuard service will not even run?!

So other places say that both should be x.x.0.1/24 which I have tried and even seem to get a connection on, but that cannot be right as then if I ping 10.8.0.1 from either end I get a 1ms response meaning both ends are responding as 10.8.0.1 on themselves and are never going to be able to communicate with each other, especially as either site will already think that address is local as it will have it configured there.

So do I need to put an entirely dummy range one of the Local OPNsense configuration Tunnel Address to avoid the conflict?  cannot leave this field blank?!

To keep this post readable I'll put my next question(s) in a response below to separate them as otherwise this is going to be hard to follow I suspect.