Messages

[Port scan = 0 open/all blocked???? That shouldn't be, since I have some rules on the FW.]

I have started the tcpdump.

But first I checked with the Network Analyzer App on my phone the public IP (from outside of my network).

Ping ok
Trace route gives results
Whois also gives information about the provider etc

but

Port scan = 0 open/all blocked???? That shouldn't be, since I have some rules on the FW.


Also I noticed under Interfaces/Overview that the igc0 IF (first physical port that is connected to the WAN/ONT) with a IPv6 address is not assigned. I have a WAN IF as PPPoE where I can see the public IP. 

Hi, the IP is reachable, I was able to connect to the Vilfo router. The provider comes even with a DDNS.

Thanks guys for your support! I need a solution until Friday evening, otherwise I have to switch back. Don't know if I will try again if it doesn't work.
I have also some other requirements, Like site-to-site VPN, different device groups that should use different VPN connections, or go through the I-net provider, etc. If this supposedly easy task does not work, what to expect for the rest? I don't know if it's this new version or a general problem. It's my second attempt to use OPNsense.
While I'm not a FW specialist  I'm still quite experienced with IT.


Could Pfsense be a better solution?
I know it's almost the same, but maybe more stable.
Regards

Need to be in work meetings from now.

I know, I know, this thing that holds us back from  important things to do  ;D

Hi Cookiemonster,

You can find the screenshot on page 2 replay #26.
There is the WAN rule UDP to 51820.
This is not an alias, I just renamed WAN to WAN_Digi (later a second I-Net provider is planned as backup). Maybe I shouldn't have done this?

attached  screenshots in addition to the FW rule for WAN already posted.

Please tell me if I missed something.

I didn't see anything like this in the dashboard. I have added the Wireguard widget but there is a flat line, so I guess no handshake?
Did you maybe mean something else in the dashboard?   

That's correct now, but still does not work

Source: any/*
Destination: WAN address
Destination port: 51820
Protocol: UDP
Action: allow

HTH,
Patrick

OK, that was a mistake, instead of 51820 I have copied the (MTU) 1412 as  destination port. Changed but still no access. When I connect, the app shows me that the interface is listening to 58240. I'm not sure if I noticed this befor changing the FW rule. Means, the INstanmce from the WG App is listening to 58240, right? 

The main question remains, how  I have configured the client ( see attached image before).


Thanks you so far!

On OPNsense,

- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?

Nope, because there is nothing about in the manual. Only UDP to 1194 and 1412.

- do you have a firewall rule on the "WireGuard" interface group (or an assigned interface if you did that) with "allow * *"?

yes,  I have a dedicated interface with a rule that allows all IP4 traffic. see screenshot.

[hen WG connection activated (Mac connected to the internet via mobile phone hotspot). There is a green light with the connection.]

WireGuard for MacOS is on the App Store:

https://www.wireguard.com/install/

What do you thing I have been doing all the time  ;)?

See first post on this page:

Wireguard from Mac with the Wireguard App

followed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
but at Step 6, surprize....

I have manually configured the WG connection in the app like suggested in the manual as a common config. See attached image.

But I can not get a connection neither to the OPNsense FW nor to any device on the LAN, when WG connection activated (Mac connected to the internet via mobile phone hotspot). There is a green light with the connection. 

Interesting that I can not connect the internet neither!

So, what I think is, that the connection is actually established, but some configs in the FW are not ok??

[No, I'm not able to install wg-tools, as described in the messages above.]

Of course you need to have a working WG server running - on your OPNsense! - to use the app for the Mac. Nowhere does this statement imply you need a server for the Mac.

That's what I  thought too. Meanwhile nothing is sure to me, if it is not explicitly mentioned in the manual, after such experiences.
Also I have no experience with WG at all.

Thanks, I  will try again,

but ....

I can't help with MacOS for the moment.
Let's stick with WG.
At step 6 you use wg-tools on your MacOS. Are you able to get here? Are you able to stay on IPV4 only?
If yes, we just need to let you know which keys go where. Because of their shared names "public key", "private key", it might make it unclear which one goes where.

No, I'm not able to install wg-tools, as described  in the messages above.
Since this is a business administrated Mac (but I'm local admin), I don't know if I can disable IP6, but afaik we are on IP4.

[OpenVPN]

well I got all confused now.
You can access the OPN firewall from the inside, right? And now want to setup a VPN so you can connect to "it" when away, correct?

Exactly! (was my post so confusing?)

The "it" is important here. Normally the VPN is used to connect to "it" to reach the network inside it, i.e. the LAN from the WAN. Connecting to the firewall itself, like for managing it, needs additional steps.
The links I shared although a little old should have the additional steps, which normally mean "allow all ips".
WG is easier than OpenVPN by the way.

I followed the (awful) tutorials and set up both OpenVPN and WG in the FW again.

OpenVPN

a) with OpenVPN Connect on Android device:

Error Message: "Select Certificate. This profile does not include certificate. Continue with connecting without a certificate or select one from Android keychain?"

Attached the config file that I have exported from the FW and imported to the Client on the phone. Note, I have added <ca></ca> manually, since it was not there and in the config to thje Vilfo Router, that works these are there. I didn't work without either.

b) With Tunnelblick App on Mac
pls see log file attached.

Wireguard from Mac with the Wireguard App

followed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
but at Step 6, surprize!

Client configuration is largely beyond the scope of this how-to since there is such a wide array of possible targets (and corresponding configuration methods)

You don't say.
Ok, keep calm I thought, and continued with:
https://wireguard.how/client/macos/

It starts with:

In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.

OK, clicked on https://wireguard.how/server/

But there is no guide for Mac there! Really? This is just a big b***hit.

But even going forward with the client config

Code Select Expand

sudo wg show wg0

Code Select Expand

command not found: wg

I wanted to install the tools (found that on the I-net) with

Code Select Expand

sudo install wireguard-tools

Didn't work.

Code Select Expand

usage: install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 file2
       install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 ... fileN directory
       install -d [-v] [-g group] [-m mode] [-o owner] directory ...

Start by setting up the ddns please.

I guess, it is done. For now I'll try it with the public IP, if that works I will look to ddns again. According to my I-Net provider they are managing the binding to the IP, so nothing is required. Let's see this later.

What next?

What I don't understad with WG is Do I need a Server and a Peer on both sides FW and MAC (or other OS)?

WG is easier than OpenVPN by the way.

....

So far, I would't use the word easy for neither of them  :-\

I'm aware about the peer concept, therefore I didn't use the term CS, but "by app" to make clear, that I don't want (can't) connect two FW/Router.

I can use a PC (Linux or Mac) via phone/hotspot to access the FW from outside.

I don't know what is easier, WG or OpenVPN.  Will probably do it with the Mac, since it easier to install and set up the apps.

The problem is, that I can't set up the OpenVPN server, even with following the manual.
This topic was read 400 times.

Is nobody out there who was able to connect to the new version?????

An app is not magically going to be magically configuring OPN on the inside.

Sure, this is not my expectation. What I meant by "via app" was a client-server connection not a server-server, respectively site-to-site connection. Because I don't have the other server yet. If this will work, we will see.

Perhaps this helps: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

I followed this steps already, like in the OPNsense manual. When scanning the QR code I get an error message. Both with the domain name and public IP address. So it is the setting that is wrong or bug or I don't know what. Maybe I made a mistake, but how to check when the manual do not match the new version of the software???
Unfortunately I can not see the whole message on the phone and it disappears after 2 seconds.

If the peer you want is an app, I can't help.

Yes, I need a connection via an App, for the time being because I need to have a remote access in order to configure later site-to-site, from another location. 

It is simply frustrating. The manual do not match at all to the GUI of the new Version! Neither for WireGuard, nor for OpenVPN. All tutorials on YT are for the older GUI. How can one release such a change without adjusting the manual??

I have tried with OpenVPN,
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

On the last step adding a SSL server, the created server certificate as per manual is not accepted because

"Certificate SSLVPN Server Certificate is not intended for server use."  >:(