Messages

I finally figured out a combination of rules that will allow this routing to happen.  Here's what I did:

In Firewall -> Rules -> VLAN20, I have:

• (IPv4  VPN_hosts_alias  *  !RFC1918_Networks  *  VPN_gateway  *)
• (IPv4 * * * * * *)

I have DHCP set up on VLAN20 to serve 192.168.20.100-192.168.20-225 ... so, I added this range to VPN_hosts_alias.

Adding the DHCP range to VPN_Hosts_alias takes care of the NAT translation to the VPN interface's address, since I already have the NAT rule set up for that alias.

Now, anything that connects to my VLAN20 automatically gets routed to VPN ... excellent!

I'm hitting a roadblock here, and not sure how to make my routes work correctly.

Basics:

LAN: 10.35.35.1/24

Several [wireguard] VPN connections configured via https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html, and working perfectly via selective IP addresses (aliases).  I also have gateways to each of the VPN tunnels.  Everything works perfectly.

Recently, I added a WAP that allows me to tag a certain WiFi network with VLAN, so I'm trying to create a WiFi network that, when connected to, routes automatically over one of my VPN connections.

The concerned VLAN is "VLAN20" ... and no matter how I specify the routing, I can't get VLAN20-tagged packets to route over the VPN.  DHCP is working for VLAN20 (192.168.20.1/24), and I get good addresses when I connect; just no internet (over the VPN) when connected.

From my understanding, this requires two new rules:

• Direction to send VLAN20 packets to the VPN_gateway
• NAT outbound rule to change anything in the VLAN20 net to the VPN interface's address

I have tried forcing VLAN20 packets to use the VPN_gateway via:

• Firewall -> Rules -> VLAN20 (* * * * VPN_gateway)
• Firewall -> Rules -> LAN (VLAN20 Net * * * VPN_gateway)

And added the NAT:
Firewall -> NAT -> Outbound (VPN_interface VLAN20 net * * * Interface address *)

But no matter which way I force the gateway, no connected clients get internet through the VPN_gateway.

I even tried hard-coded IPv4/32 addresses in both Firewall rules and NAT ... still no internet though VPN_gateway.

I have read other tutorials online that seem to indicate I am addressing the right rules, but I cannot get connected clients within VLAN20 to use the VPN_gateway.

:(

Can anyone help me with the rules I am bungling or missing?

Also, just in case you're trying to get port forwarding working...

I still had problems port forwarding over Wireguard running OPNSense 22, and solved using steps in the github issue:

https://github.com/opnsense/core/issues/4389

The solution posted there works, but I had to switch over to the OPNSense Development branch in order for it to work. 

No idea why this is such a problem (still)...

I still had this problem running OPNSense 22, and solved using steps in the github issue:

https://github.com/opnsense/core/issues/4389

The solution posted there works, but I had to switch over to the OPNSense Development branch in order for it to work. 

No idea why this is such a problem (still)...

Edit: This was a reply to the wrong thread ... sorry!  I'll reply to the correct thread...

Okay it turns out that opnsenseWGName was the issue.  I named it PIA_toronto, which apparently was causing the script to pull my existing PIA config from OPNsense.  When the script asked for a new wireguard key (using an existing WG public key), PIA refused the creation and caused the script to fail.

So, I changed opnsenseWGName to PIACA, and it created the interface just fine.

Not sure if the API doesn't like the underscore or the small caps ... but removing both allowed me to move forward!

FG,

I am trying to add my second tunnel according to your instructions on the bottom of page one, but I am getting the same error as Learning:

Code Select Expand

wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

A search on the word 'exchnage' shows the script is choking at line 575.

I have a different name, port, and region ID in PIAWireguard.json, and I've renamed the script to indicate the different region so I don't get confused (and added the action lines as well).

This is the output:

Code Select Expand

WGInstanceUUID:
WGPeerUUID:
WGInstance:
WGPeer:
WGPeer is blank but this isn't an issue
metaServer
toronto438
178.249.214.97
wgServer
toronto438
178.249.214.109
Your PIA Token (Meta), DO NOT GIVE THIS TO ANYONE
{
    "status": "OK",
    "token": "redacted"
}

wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

Your previous comment mentions that the script prints out `opnsenseWGPubkey` but I don't see that displayed in the debug output or have any reason to believe it's incorrect (?).

Any other ideas?  I don't know how to interact with PIA's API to get my own wireguard key and set it all up manually (but I suppose I could read your URLs and figure that out :P )

The script worked perfectly on the first tunnel, so thanks for all the hard work!

Cheers!