Messages

1

21.1 Legacy Series / Re: Selective routing to VPN (Wireguard)

« on: May 16, 2021, 03:59:38 pm »

Ok, after days of trying to figure out what is the problem it was a little bit messy, so I have to do it again from scratch, but "allowed IPs" in Endpoint configuration was source of my problems.
Thank you for spotting it.

2

21.1 Legacy Series / Re: Selective routing to VPN (Wireguard)

« on: May 16, 2021, 01:29:13 pm »

I was trying to add screenshots but forum wasn't displaying it.

Will try again:

3

21.1 Legacy Series / Re: Selective routing to VPN (Wireguard)

« on: May 16, 2021, 11:41:04 am »

I have done it again, now strictly according to manual
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Gateway IP is - as per manual - tunnel IP less one (I have learned that using exact tunnel IP as gateway IP redirects traffic to router, not VPN). Client IP traffic should be routed through VPN, but has no internet whatsoever.

My concern is when gateway monitoring enabled it shows OFFLINE for some reason, regardless Wireguard showing UP and proper handshake

4

21.1 Legacy Series / Re: Selective routing to VPN (Wireguard)

« on: May 16, 2021, 01:42:36 am »

Outbound NAT
Interface WG_OUT
Source LAN/any -> interface address

Rules as per manual
Source
IPv4/[ip to be routed via VPN] alias
-> gateway.

And again - results depending of gateway settings. If I set gateway to local IP of WG tunnel, it appears to be working, but shows https errors.
If I set up gateway IP according to manual (tunnel IP less 1) or any other IP - doesn't work at all. This IP is not accessible, looks like it's error in manual.
Tunnel ip is live, answers pings etc. just not able to route traffic through

5

21.1 Legacy Series / Selective routing to VPN (Wireguard)

« on: May 15, 2021, 03:42:56 pm »

Hi
I'm trying to do pretty much same thing as described here:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Started earlier, but trying to troubleshoot using manual above. Got peer connected, can see handshake etc. with VPN provider, no problem.
Now the tricky bit:
Got local IP address from provider. ("Tunnel Address" in step 2 above) In previous manuals I have seen, there was no setting for the "Gateway" in step 2.
So I have changed everything according to manual, but no difference.

Only bigger difference in my config is Step 8 - in my case I have an alias with IP address of hosts with traffic should be routed through VPN, but this should not be a problem

Once firewall rule activated, on host redirected to VPN i'm getting https errors: NET:ERR_CERT_AUTHORITY_INVALID

Problem is for sure related to gateway, as I have done simple test - added another physical router in the same LAN network as 2nd gateway. Using this IP as gateway in Step 8 works just fine. Once changed back to wireguard IP breaks it again.

Results I'm getting:
wireguard gateway as tunnel address less 1 - no traffic, timeout
wireguard gateway as tunnel address - https errors


Not sure where I should go now

EDIT:
I guess this may be reason why it's not working, just don't know how to fix it.

Basically it shows outbound-natting local ip to tunnel address, but then...

Code: [Select]

all tcp 10.XXX.XX.XXX:49927 (192.XXX.XX.XXX:49927) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49933 (192.XXX.XX.XXX:49933) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49926 (192.XXX.XX.XXX:49926) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49928 (192.XXX.XX.XXX:49928) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49929 (192.XXX.XX.XXX:49929) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49932 (192.XXX.XX.XXX:49932) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49924 (192.XXX.XX.XXX:49924) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49925 (192.XXX.XX.XXX:49925) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49930 (192.XXX.XX.XXX:49930) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49931 (192.XXX.XX.XXX:49931) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED