Messages

I see your point about Home Assistant, but since I already use it for my home automation anyway—and many others do too—this guide might be helpful for them.

If you don't use Home Assistant, you can access the API directly via curl (Linux) or PowerShell (Windows).

And WoL can be executed directly through the installed WoL plugin. Personally, though, I don't want to have to go through the OPNsense firewall every time I want to wake up a PC. That's why I included the steps in the guide.

Introduction

With ISC DHCP, it was possible to set up WoL over routed networks using a NAT workaround. However, since ISC DHCP is deprecated, and tools like Dnsmasq or KEA DHCP do not offer an option for "fake" ARP entries, and solutions such as defining the MAC address via Neighbors did not work for me (presumably due to CARP), this guide describes a solution for setting up WoL using OPNsense's built-in API. In this example, the "Magic Packet" is sent via Home Assistant.
OPNsense
1. Install the plugin
The os-wol plugin is required for this solution. Simply installing it is sufficient; no configuration is needed here.


2. Create a user
A user must be created for API access. You can choose the name yourself.
Under Privileges, select the service we just installed: Service: Wake on LAN
Then save.


3. Create API Key
We create the API key pair by clicking this icon. This downloads the key pair to a .txt file.


4. Extract Network Identifier
In the script later on, we'll specify which network the client to be woken up is on. To do this, we need to note down the identifier of the interface. In my case: lan

Home Assistant

I'm going to create a button in Home Assistant that I'll use to wake up the client. To do this, the following must be entered in the Home Assistant YAML configuration. I've moved "templates" to a separate file called template.yaml, which is why I have the following line in my configuration.yaml:

Code Select Expand

template: !include template.yaml

1. configuration.yaml
Insert the following block and adjust it according to the comments. For payload: make sure the identifier of the OPNsense interface is included:

Code Select Expand

rest_command:
  opnsense_wake_client:
    url: "https://x.x.x.x:xxx/api/wol/wol/set" # actual IP and Port of the OPNsense WebGUI
    method: POST
    username: "Kc/vYhlWU/K4fS3N3vhyKJ1234oxwg2adbDtVJZLZwL2k5QhhmxhLa/mxxI4LNhqKyZougxnSMnHWiA6" # key from the txt
    password: "Yz/7A1lTzSi+I4XXWMMrV1234FlwIwFZsowocpAH1r7dfBHRAGZLVk7aSBX2/n5tg4cwKaEmeV9GJIuS" # secret from the txt
    content_type: "application/json"
    payload: '{"wake":{"interface":"lan","mac":"AA:BB:CC:DD:EE:FF"}}' # interface=identifier, mac=MAC-Address of the client
    verify_ssl: false # when you use the default self-signed cert from OPNsense

2. template.yaml
Insert the following block into template.yaml:

Code Select Expand

- button:
  - name: "WoL Client"
    press:
      - action: rest_command.opnsense_wake_client


3. Restart Home Assistant
For me, simply loading the YAML config wasn't enough, so I had to restart Home Assistant


4. Add a button
Now you can create a button on the dashboard and select "WoL Client" as the entity.

Code Select Expand

pkg remove php74-pecl-mongodb

I also had this problem, but uninstalling the package was the solution. Thank you very much!

I had the problem after updating to OPNsense 22.1.3 that the HAProxy service did not start anymore. I was able to solve the problem by editing the Virtual IP and saving it again without adjusting it. After that the service could be started again.

Hi wrobelda

Thanks for the hint! I have adjusted the section in the tutorial. Nevertheless, it also works when the tunnel address is entered.

[Introduction]

Introduction

In the following I would like to show how I have set up "Selective Routing" via Wireguard. Primarily to access websites with region lock or to hide my real public IP.
For that, I have an Azure VM, which is located in the appropriate country. This VM can also be from another provider.

This manual is basically based on: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Tested and working on OPNsense 22.1.2_1


Changelog

17.03.2022:

• Changed the Gateway-Address from local WG-Address to the remote WG-Address (Local WG-Gateway), as described in the official manual.
• Fixed some typos an formatting

Requirements

• Wireguard Plugin installed (on OPNsense)
• Endpoint with fixed, public IP
• Endpoint OS: RockyLinux 8.5

Configuration: OPNsense

Create Endpoint
Go to: VPN -> Wireguard -> Endpoints -> + (create new)

• Set "Enable"
• Your prefered Name
• Keep this field empty
• Insert: 0.0.0.0/0 (for IPv6: ::/0
• Insert the Public IP from your Endpoint
• Any Port you want to use
• Since this is supposed to be a persistent connection, set the keepalive to 25

Click on "Save" and "Apply"

Create Local Configuration

• Enable "advanced mode"
• Set "Enable"
• Your prefered Name
• Keep this fields empty
• In this case we don't need a Listening-Port
• Set the Tunnel Address x.x.x.x/32
• Select the previously created Endpoint
• Select "Disable Routes"
• Choose any Gateway-IP in the same Range as the Tunnel Adress in /24

Click on "Save" and "Apply"

Click on "Edit" (Pencil) and copy the new generated Public Key to a .txt-File or similar.

Create new Interface
Go to: Interfaces -> Assignments

• Assign the new created Wireguard interface

Go to: Interfaces -> [NEW-WG-INTERFACE]

• Set everything as on the screenshot and click on "Save"

• Now restart WireGuard - you can do this from the Dashboard (if you have the services widget) or by turning it off and on under VPN -> WireGuard -> General

Create a Gateway
Go to: System -> Gateways -> Single

• Your prefered Name
• Select your [NEW-WG-INTERFACE]
• Select IPv4
• Enter the gateway IP that you configured under the WireGuard local peer configuration
• Select "Far Gateway"
• Enter the Gateway IP from your Local Wireguard Configuration

Click on "Save" and "Apply changes"

Create Aliases (Destination URLs, Networks)

Go to: Firewall -> Aliases -> Add (create new alias)

In my case, certain services are loaded from my accessed website via a CDN, which is why I also need to enter all the subnets used by the CDN. If this is not the case for you, you can simply create a URL alias and skip creating a network alias.

URL:

• Your prefered Name
• Select "Host(s)"
• Enter every single used Hostname/FQDN, because OPNsense isn't supporting Wildcard.
  (e.g. www.google.com, google.com)

Click on "Save" and "Apply"

Networks:

• Your prefered Name
• Select "Network(s)"
• Enter every used subnet

Click on "Save" and "Apply"

Firewall Rules

In my case the complete internal network should run through my wireguard endpoint when accessing my "region block website".
If you don't want to do that over the whole network, you can also create an alias for the affected IPs/hosts and specify them as "source" later. in the Rule-Creation.

Go to: Firewall -> Rules -> [LAN-Interface] -> Add (create new rule)

• Select your LAN-Interface
• Select "IPv4"
• Select your LAN-Network (net) or your defined IPs/Hosts-Alias
• Select your defined URL-Alias
• Select your defined Gateway

Click on "Save" and "Apply"

If you have also created a Network-Alias like me, this just created firewall rule needs to be copied and the destination (4) needs to be adjusted to this alias. After that "Save" and "Apply" again.

NAT Configuration
The NAT is only needed if you also want to access the endpoint host itself!

Go to: Firewall -> NAT -> Outbound

Select "Hybrid NAT..."


Add a new "Manual rule":

• Select your Wireguard-Interface
• Select "IPv4"
• Set Translation to "Interface address"

Click on "Save" and "Apply"

Now we are basically done with the configuration on the OPNsense side. We only have to enter the PublicKey of the Wireguard endpoint later.

Configure: Rocky Linux / Wireguard-Endpoint

At this point you can use any Linux/BSD distribution as long as iptables and wireguard are available for it.
However, only the procedure on RockyLinux is described here.

Installation prerequisites / Wireguard

Install Epel-Release:

Code Select Expand

dnf install epel-release -y

Install Wireguard:

Code Select Expand

dnf install kmod-wireguard wireguard-tools -y

Create WireGuard Configuration Directory

Code Select Expand

mkdir /etc/wireguard

Generate WireGuard Private/Public Keys

Change Permissions:

Code Select Expand

umask 077

Generate and write a new private and a public key to a file:

Code Select Expand

wg genkey | tee /etc/wireguard/wireguard.key | wg pubkey > /etc/wireguard/wireguard.pub.key

Copy the created private key and write it temporary somewhere down:

Code Select Expand

cat /etc/wireguard/wireguard.key

Create a new Wireguard-Configfile:

Code Select Expand

vi /etc/wireguard/wg0.conf

Paste the following lines to this file:

Code Select Expand

[Interface]
ListenPort = 55555
PrivateKey = [PrivateKey from the Endpoint/this Machine]
Address = 10.0.8.1/32
PreUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = [PublicKey from OPNsense-Wireguard]
AllowedIPs = 10.0.8.2/32

Note that on my interface eth0 the gateway is defined. This may be different for you. Change it accordingly in the lines "PreUp" and "PostDown".

Save the File (vi = :wq)

Enable IP-Forwarding

Code Select Expand

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Code Select Expand

sysctl -p


Copy the public key to OPNsense

Copy the created public key and write it temporary somewhere down:

Code Select Expand

cat /etc/wireguard/wireguard.pub.key

Go back to your OPNsense WebGUI
Go to: VPN -> Wireguard -> Endpoints -> Edit your prevoiusly created config

• Paste the public key into the "Public Key"-field

Click on "Save" and "Apply"

Start Wireguard on the Endpoint
Go back to your Endpoint and start your Wireguard-Tunnel:

Code Select Expand

wg-quick up wg0

If your tunnel is already running, do:

Code Select Expand

wg-quick down wg0

Code Select Expand

wg-quick up wg0

You can check if the tunnel is up and running:

Code Select Expand

wg

Create a service

Code Select Expand

systemctl start wg-quick@wg0

Code Select Expand

systemctl enable wg-quick@wg0

Summary
Now we are ready and you can test/use your configuration.

I have recorded the phenomenon below:
https://ibb.co/rv8r4fn

Thanks for the hint, but I had already adjusted this value before - unfortunately without success...

What is really strange is that the speed is normal (like on the Linux Firewalls) as soon as I have "top" open in the background.
(no matter if OPNsense is tuned or on factory settings).

As if (figuratively speaking) "top" keeps the floodgates open for the network packets to flow faster.


Can anyone perhaps verify this with the same problem (vmxnet3)?

Thank you for the answer.

I previously had an Intel X550-T2 purely for the WAN connection. But after testing I found that the onboard AQtion AQN-107 with current driver from Marvell* is just as fast (so I could save one PCI-E slot).
On both Linux firewalls, I was able to max out the bandwidth of the ISP with both configurations (Intel or AQiton).

P.S. the problem was the same with the configuration with the Intel NIC

(*sorry, driver is not from broadcom, it's from Marvell)

Hello Together

Unfortunately I have the same performance problem on ESXi 6.7 with vmxnet3 network adapters. The physical adapters behind are as follows:

WAN: AQtion AQN-107 (10 Gbps)
LAN: Intel 10 Gigabit Ethernet Controller 82599 (10 Gbps)
DMZ: Intel 10 Gigabit Ethernet Controller 82599 (10 Gbps)

ISP: 10/10 Gbps (XGS-PON)


The speed on OPNsense (also on pfSense) is approximately as follows:
down: 7-10 Mbps
up: 2.5-3 Gbps

On any Linux firewall (e.g. IPFire and Untangle) I get the following values:
down & up: 5-6 Gbps

I have tried all possible tunables on the OPNsense, which unfortunately didn't help.

But now I just noticed something strange:
When I have the performance monitoring active on a speedtest (Performanse Graph in WebUI or top via ssh) the speed is suddenly not even that bad:
down & up: 3-4 Gbps

If I deactivate the performance monitoring again, the values are as low as at the beginning.

Unfortunately I don't know exactly what triggers this phenomenon, but maybe someone of you has also noticed this?