Messages

1

Virtual private networks / Wireguard Logs

« on: July 04, 2022, 01:19:52 pm »

Hello,

I'm running 22.1.8_1 and wondered what's the best way to view the WG authentication logs.
Everything from opnsense gets logged to my Graylog instance (settings - system - log targets) but wireguard does not log anything at all.

I looked at https://www.procustodibus.com/blog/2021/03/wireguard-logs/ but wondered what may be the best way to enable the WG logs (especially brute force actions, failed auths and granted auths) in Opnsense.

Do you have any recommendations / solutions to this? Thank you in advance!

2

21.7 Legacy Series / Re: Help needed with Domain based routing

« on: January 06, 2022, 09:47:36 pm »

EDIT: attached my full config, maybe someone can spot the culprits.

Make sure Client and OPNsense are using the same DNS Server

I use different DNS Servers in each site (adguard home in local lan on 10.0.57.28, google 8.8.8.8 on site1), is there a reason why they should use the same? Edit: Oh, I guess you mean the lan client and opnsense - yes they all point to my local adguard home server (10.0.57.28)

Create a Gateway with the Remote VPN Tunnel IP

Did that - Gateway pointing to 10.0.55.254 (site 1 router), enabled "far gateway" because the subnet is not my local lan ofc. Should I make use of Virtual IPs?

Create an Alias with the FQNDs you want to route.

Did that. Alias with Host(s) "domain.com"

Create a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with

Did that, put a rule on LAN,
Source: LAN net
Direction: in
Gateway: Site1 - 10.0.55.254 (Site 1 Router)

I can see the rule in effect in the Logs but it only shows UDP data packets.
Traceroute shows that the requests do not leave Opnsense however...

Code: [Select]

traceroute domain.com
traceroute to domain.com (xx.xx.xx.xx), 64 hops max
  1   10.0.57.1  2,601ms  1,650ms  1,371ms
  2   10.0.57.1  1,531ms  1,429ms  1,193ms
  3   *  *  *
  4   10.0.57.1  1,880ms !H  1,483ms !H  1,412ms !H

Will make a backup and share it here, seems there is something fishy in my config...
Thank you guys!!

3

21.7 Legacy Series / Re: Help needed with Domain based routing

« on: January 06, 2022, 08:54:59 pm »

there's really not much to the VPN config,

local lan is 10.0.57.0/24
OPNSense is 10.0.57.1/32,
WG server resides on 10.0.59.1,
Site 1 is PTP connected as 10.0.59.2/32

Site 1 has routes for my Lan (10.0.57.0/24 via 10.0.59.2 on 10.0.55.4)

I sure will share my config if you need specifics but the whole config has too much sensible info to it

4

21.7 Legacy Series / Re: Help needed with Domain based routing

« on: January 06, 2022, 06:43:02 pm »

but I assume you want to route HTTP traffic for certain websites via a different site

totally correct.

I would like to keep my Adguard DNS out of play here, I think this should be doable with routes and aliases?

I just have no experience where to put the rule?
WAN?
Floating?
LAN?

In the meantime I added the remote site Gateway in Opnsense, "Far Gateway" is set.
I can now use this gateway for my rules, just need to try till I get it working...

The connection to domain.com is already caught by Opnsense but

Code: [Select]

traceroute domain.com does not leave OpnSense to the remote site yet

5

21.7 Legacy Series / Help needed with Domain based routing

« on: January 06, 2022, 04:23:04 pm »

Hi,

I would like to route specific domains via a vpn site.
OpnSense runs my Wireguard server which has a WG client (site) connected to it.

I then create a Firewall - Alias:
- Name: Proxied
- Type: Host(s)
- Content: domain.com

I'm not sure what the next steps would be, but I tried:
adding a Firewall - NAT - Outbound rule
- Iface: WAN
- Destination: Proxied
- (I tried translation to WG site adress / router)

adding a Firewall Rule - Rules - WAN:
- iface: WAN
- direction: out
- destination: proxied
- gateway: site router address

traceroute shows that the domain gets catched but it refuses to go over the VPN;

can anyone here tell me how to achieve this routing? Thank you!

6

German - Deutsch / Re: API DHCP Clients

« on: October 31, 2021, 01:39:05 pm »

Ich musste

Code: [Select]

$this->response->setContentType('application/json', 'UTF-8'); verwenden bei 21.7.3