Show Posts
1
Virtual private networks / Wireguard in road warrior selective routing and mullvad VPN
« on: April 07, 2022, 11:25:27 am »
Hi, I'm setting up an infrastructure in order to use multiple VPN peers (location) based on the ethernet port where the client is connected. I'm using VLAN to segregate the communication. My architecture is the following:
1. Switch HP 1810-8G
2. APUC for with OPNSense latest version
My problem for now is that my tunnel is not coming to life.
I followed all the tutorial on opnsense for mullvad and also the one for selective routing.
When I want to launch the wireguard from the console, I get the following:
I have the following configuration:
I created one Local for each locations, then I generated the public key and use the api at mullvad to add as public/private key. Then I use the tunnel adress that the api return back. I have one concern about this address, if I read in the documentation it said that we should not have a /32 or /128 address as tunnel, but mullvad is returning exactly this... I also tried to change it on a /24, but still no tunnel.
Then for peer, i downloaded the config of the peers i wanted, put the endpoint address/port from the config, put in gateway the ip of the vlan I want to be and checked Disable routing, and then created the gateway as well. I also created the rules inside the firewall to avoid the connection to the wireguard interface from other ip subnet that the one I want. I also creating floating rules for the routing.
Do you think it could be this error: gateway wg0 fib 0: route already in table and something not working well with latest version and disable rooting option ?
Can you help me to debug this story please ?
EDIT: I think I found the problem and I think it's a bug in the Ui used to generate the wireguard configuration. Even if you select " Disable Routes" options, in the local configuration, inside the wg0.conf there is:
In fact those two entry are added when we choose "advanced options" and add a gateway.
Now that my tunnel/gateway are up, i have another problem. when im connected from a vlan, i try to curl http://8.8.8.8 and i get the router login page. its like all ip different that my subnet get redirected and not going outside.
Do you think it could be a problem that my WAN interface has a 10.0.0.0/24 network which belongs to RFC1918?
Here is example of traffic from the VLAN interface:
86 read and no message. I figured it myself. you can delete my message if needed.
1. Switch HP 1810-8G
2. APUC for with OPNSense latest version
My problem for now is that my tunnel is not coming to life.
I followed all the tutorial on opnsense for mullvad and also the one for selective routing.
When I want to launch the wireguard from the console, I get the following:
Code: [Select]
root@router:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
wg-quick: `wg1' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet ip/24 alias
[#] ifconfig wg0 inet6 ip/64 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[+] Backgrounding route monitor
[#] route add 192.168.20.1 -iface wg0
add host 192.168.20.1: gateway wg0 fib 0: route already in table
[#] rm -f /var/run/wireguard/wg0.sock
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet ip/24 alias
[#] ifconfig wg1 inet6 ip/64 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[+] Backgrounding route monitor
[#] route add 192.168.30.1 -iface wg1
add host 192.168.30.1: gateway wg1 fib 0: route already in table
[#] rm -f /var/run/wireguard/wg1.sock
root@router:~ #
So something should be wrong inside my wireguard configuration I guess but I can't understand what is wrong.I have the following configuration:
I created one Local for each locations, then I generated the public key and use the api at mullvad to add as public/private key. Then I use the tunnel adress that the api return back. I have one concern about this address, if I read in the documentation it said that we should not have a /32 or /128 address as tunnel, but mullvad is returning exactly this... I also tried to change it on a /24, but still no tunnel.
Then for peer, i downloaded the config of the peers i wanted, put the endpoint address/port from the config, put in gateway the ip of the vlan I want to be and checked Disable routing, and then created the gateway as well. I also created the rules inside the firewall to avoid the connection to the wireguard interface from other ip subnet that the one I want. I also creating floating rules for the routing.
Do you think it could be this error: gateway wg0 fib 0: route already in table and something not working well with latest version and disable rooting option ?
Can you help me to debug this story please ?
EDIT: I think I found the problem and I think it's a bug in the Ui used to generate the wireguard configuration. Even if you select " Disable Routes" options, in the local configuration, inside the wg0.conf there is:
Code: [Select]
PostUp = route add 192.168.20.1 -iface %i
PostDown = route del 192.168.20.1 -iface %i
Deleting those two lines fixed the problem. Should I open a github issue about this ?In fact those two entry are added when we choose "advanced options" and add a gateway.
Now that my tunnel/gateway are up, i have another problem. when im connected from a vlan, i try to curl http://8.8.8.8 and i get the router login page. its like all ip different that my subnet get redirected and not going outside.
Do you think it could be a problem that my WAN interface has a 10.0.0.0/24 network which belongs to RFC1918?
Here is example of traffic from the VLAN interface:
Code: [Select]
LANVPNFRANCE
vlan02 12:29:43.188234 IP 192.168.20.100 > 8.8.8.8: ICMP echo request, id 13, seq 37, length 64
VLANVPNFRANCE
vlan02 12:29:43.188288 IP 192.168.20.1 > 192.168.20.100: ICMP echo reply, id 13, seq 37, length 64
86 read and no message. I figured it myself. you can delete my message if needed.