Messages

Hello,

I'm running 22.1.8_1 and wondered what's the best way to view the WG authentication logs.
Everything from opnsense gets logged to my Graylog instance (settings - system - log targets) but wireguard does not log anything at all.

I looked at https://www.procustodibus.com/blog/2021/03/wireguard-logs/ but wondered what may be the best way to enable the WG logs (especially brute force actions, failed auths and granted auths) in Opnsense.

Do you have any recommendations / solutions to this? Thank you in advance!

EDIT: attached my full config, maybe someone can spot the culprits.

Make sure Client and OPNsense are using the same DNS Server

I use different DNS Servers in each site (adguard home in local lan on 10.0.57.28, google 8.8.8.8 on site1), is there a reason why they should use the same? Edit: Oh, I guess you mean the lan client and opnsense - yes they all point to my local adguard home server (10.0.57.28)

Create a Gateway with the Remote VPN Tunnel IP

Did that - Gateway pointing to 10.0.55.254 (site 1 router), enabled "far gateway" because the subnet is not my local lan ofc. Should I make use of Virtual IPs?

Create an Alias with the FQNDs you want to route.

Did that. Alias with Host(s) "domain.com"

Create a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with

Did that, put a rule on LAN,
Source: LAN net
Direction: in
Gateway: Site1 - 10.0.55.254 (Site 1 Router)

I can see the rule in effect in the Logs but it only shows UDP data packets.
Traceroute shows that the requests do not leave Opnsense however...

Code Select Expand

traceroute domain.com
traceroute to domain.com (xx.xx.xx.xx), 64 hops max
  1   10.0.57.1  2,601ms  1,650ms  1,371ms
  2   10.0.57.1  1,531ms  1,429ms  1,193ms
  3   *  *  *
  4   10.0.57.1  1,880ms !H  1,483ms !H  1,412ms !H


Will make a backup and share it here, seems there is something fishy in my config...
Thank you guys!!

there's really not much to the VPN config,

local lan is 10.0.57.0/24
OPNSense is 10.0.57.1/32,
WG server resides on 10.0.59.1,
Site 1 is PTP connected as 10.0.59.2/32

Site 1 has routes for my Lan (10.0.57.0/24 via 10.0.59.2 on 10.0.55.4)

I sure will share my config if you need specifics but the whole config has too much sensible info to it :D

but I assume you want to route HTTP traffic for certain websites via a different site

totally correct.

I would like to keep my Adguard DNS out of play here, I think this should be doable with routes and aliases?

I just have no experience where to put the rule?
WAN?
Floating?
LAN?

In the meantime I added the remote site Gateway in Opnsense, "Far Gateway" is set.
I can now use this gateway for my rules, just need to try till I get it working...

The connection to domain.com is already caught by Opnsense but

Code Select Expand

traceroute domain.com does not leave OpnSense to the remote site yet

Hi,

I would like to route specific domains via a vpn site.
OpnSense runs my Wireguard server which has a WG client (site) connected to it.

I then create a Firewall - Alias:
- Name: Proxied
- Type: Host(s)
- Content: domain.com

I'm not sure what the next steps would be, but I tried:
adding a Firewall - NAT - Outbound rule
- Iface: WAN
- Destination: Proxied
- (I tried translation to WG site adress / router)

adding a Firewall Rule - Rules - WAN:
- iface: WAN
- direction: out
- destination: proxied
- gateway: site router address

traceroute shows that the domain gets catched but it refuses to go over the VPN;

can anyone here tell me how to achieve this routing? Thank you!

Ich musste

Code Select Expand

$this->response->setContentType('application/json', 'UTF-8'); verwenden bei 21.7.3