Messages

Have you restarted unbound after adding the WG interface?

Yes, both manually and via multiple reboots of the OPNSense box.

There is an interface assigned to WG and a FW rule allowing WG to any/WAN?

I think so:

Can you ping e.g. 8.8.8.8 from WG?

Yes, I can ping 8.8.8.8 as well as other IPs I know on the internet from my machine while connected remotely to the WG server.  This would seem to confirm that it's a DNS issue.

In Services > Unbound > General, Network Interfaces has your wireguard interface been selected, or 'All'? Either needs to be the case.

Yep:

So I did go through that guide for Wireguard setup, and couldn't find anything missing, everything seems to match.

Looks like there is nothing configures for DNS...

What in the configuration needs to be set for DNS?  As far as I can tell I only need to set the DNS address (the server's tunnel address) on the client side.  I've got UnBound applied to the Wireguard interface and I have the server's tunnel address on the UnBound Access list.  Is there something in the Wireguard config I am missing?

Also, this should clearly be in the VPN sub-forum, if a mod wants to move that over there it'd be great appreciated.

I have a Wireguard server up and running and multiple clients are able to connect to it and rest of the LAN reliably.
The clients are not able to reach the internet when connected to the tunnel.  I think it's a failure to get DNS resolutions.

I would like connected clients to be forced to use the UnBound DNS service running on OPNSense.  I've gone through the OPNSense Wireguard documentation and double checked interface names, NAT rules, IP address formatting, DNS Access Control Lists, etc, and I'm just not seeing where I've gone wrong.

Anyone mind taking a look and letting me know if they have some suggestions?

Here's the Wireguard config as a starting point:

Code Select Expand

    <wireguard>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <server version="0.0.2">
        <servers>
          <server uuid="######">
            <enabled>1</enabled>
            <name>WGVPN</name>
            <instance>0</instance>
            <pubkey>######=</pubkey>
            <privkey>######=</privkey>
            <port>######</port>
            <mtu/>
            <dns/>
            <tunneladdress>10.10.2.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>######</peers>
          </server>
        </servers>
      </server>
      <client version="0.0.6">
        <clients>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C1</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.104/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C2</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>######</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C3</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.105</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C4</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.107/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C5</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.110</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>

Not sure if this helps, but it took me while to find a config my modem and OPNSense were both happy with.  My ISP uses PPPoE and bridge mode is acheived simply by setting the OPNSense WAN interface as PPPoE and entering the credentials, the modem then passes this straight through.

To get access to the modem's web GUI a second physical cat6 jumper was connected between OPNSense and the modem (which has 4 LAN ports).  A MODEM interface was then created and the second physical connection assigned to it.  A firewall outbound NAT rule of translation type "interface address" was added to provide access between MODEM net and LAN net.

This seems to work really well, despite being a little clunky with the two physical connections.

Thank you all for you input and questions.  Forcing me to go back through stuff helped.  I think the internet part is resolved.  But in the interest of completeness here is the behaviour I was getting:



The problem on the linux laptop was that I had somehow set a gateway in the wireguard config.  Deleting it caused everything to line up with the android phone.

On the SMB side, just to confirm, there's no way to get host resolution for SMB shares working through a wireguard tunnel?  There's not a server or relay or some other magic that can be put in place to bridge the necessary L2 traffic across the subnets?

Thanks for the replies and the input.

When directly connected to the LAN, yes network resources can be seen by browsing to "Network" in the file explorer. Yes, hosts respond to ping requests when using their hostname.

Yes static mappings are setup for the Unraid server and several other hosts on the network.  Yes "Register DHCP static mappings" is checked.

It does seem that  NETBIOS doesn't propagate across different subnets, was hoping for some sort of replacement or workaround to still get discovery working.

I made a little progress on the internet issue.  The two clients Wireguard is being tested with are an android phone and a linux laptop.

There's a firewall rule for the Wireguard VPN interface (WG_VPN) which passes traffic from source "WG_VPN net" to destination "any".  With the android phone this seems to work just fine both for accessing the LAN and the internet.  With the laptop however it can't seem to get to anything.  If I change the destination to "LAN net" I can access LAN hosts but not the internet.  In neither case do hostnames seem to work.

So, I have a Wireguard VPN setup and somewhat working.

Opnsense, the Unraid server, and other hosts on the LAN will respond to pings, and their webpages are accessible through the tunnel.  Going to smb://10.10.x.y (Unraid server ip address) through the tunnel shows the available SMB shares, and they seem to work and be fairly responsive.

However simply going to "Network" in the file explorer to see available network resources finds nothing, and neither do network drives mapped to locations specified as: smb://hostname.local/sharename.  Ideally access to network resources would work when connected via VPN just as they do when connected on the LAN.

From my research this is likely because network discovery relies on layer 2 broadcasts which can't get through the Wireguard tunnel.  My research hasn't turned up a workaround for this.  Is automatic network resource discovery just not possible through a Wireguard tunnel?  Any clues on this front would be greatly appreciated.

Not sure if this is related but connected clients are also unable to get internet access through the tunnel.  I've gone through the OPNSense Road Warrior and the homenetworkguy.com guides, and double checked everything including that Wireguard is on Unbound's ACL list, but no joy.