Messages

Hello,

I've subscribed to ProtonVPN and successfully configured a Wireguard connection in my Opnsense (25.7.11_9-amd64).

The thing is I've been trying for the last 3-4 days to forward a couple of ports in order to use qBittorrent and Nicotine (both running as docker containers) and I sincerely don't know what else to try...

I adapted some script that I found that, running on the machine that runs docker and using natpmpc (192.168.1.7), runs all time and maps the desired internal ports to the public ports provided by ProtonVPN.

Code Select Expand

Requested tcp port 2234 -> Mapped public port: 34926
Requested udp port 2234 -> Mapped public port: 34926
Requested tcp port 6881 -> Mapped public port: 41524
Requested udp port 6881 -> Mapped public port: 41524
I then created the following in Firewall -> NAT -> Port Forward ("PROTWGNL" is the Wireguard interface and "PROTWGNL address" is the Wireguard addr 10.2.0.2):

Code Select Expand

Interface        Proto              Address     Ports   Address                         Ports       IP                    Ports      Description
PROTWGNL TCP/UDP *             * PROTWGNL address 41524 192.168.1.7 6881 qBittorrent
By the way, I've tried forwarding the public port both to the same port internally (41524, making the corresponding changes on the script and also on qBittorrent) and to this port I'm currently using (6881), but the result is the same.
Also, I configured, based on a suggestion given by someone in another thread, "Set local tag" to PORT_FORWARD_VPN to afterwards create a floating rule.

Also, in Firewall -> NAT -> Outbound ("Hosts_ProtonVPN_WG_NL" is a group of aliases IPs that access this VPN, 192.168.1.7 included):

Code Select Expand

Interface Source                                         Source Port Destination Destination Port NAT Address         NAT Port Static Port Description
PROTWGNL Hosts_ProtonVPN_WG_NL  *                 *                 *                         Interface address *                  NO
And in Firewall -> Rules -> PROTWGNL (I had tried to limit only the specific internal IP and port, but then just allowed everything to test):

Code Select Expand

Protocol         Source Port Destination Port Gateway Schedule Description
IPv4 TCP/UDP *         *         *                 *         *                 *
The option "State Type" is configured as "None" and I tried in different occasions both setting the "Gateway" and "reply-to" as the Wireguard Gateway, as instructed in some post I read here.


Firewall -> Rules -> LAN:

Code Select Expand

Protocol Source                                         Port   Destination                 Port Gateway                                 Schedule Description
IPv4 *         Hosts_ProtonVPN_WG_NL  *           ! RFC1918_Networks  *         PROTONVPN_WG_GATEWAY *
I also created in Firewall -> Rules -> Floating:

Code Select Expand

Protocol         Source                         Port Destination                 Port Gateway                                 Schedule Description
IPv4 TCP/UDP PROTWGNL address *         ! PROTWGNL net *         PROTONVPN_WG_GATEWAY *                          *
Here I configured "Match local tag" as PORT_FORWARD_VPN and the "Direction" is set to out.

I remember being able to forward ports when I used AirVPN and it wasn't so hard... Am I maybe doing something wrong here? I appreciate any help.

Unsure what you mean by

If I'm home and using wireless everything works fine

By the looks of it you're missing a port forward rule as follows:

Code Select Expand

Source WiFi_Vlan (or Device_IP) Destination Wan_IP:Wireguard_Port --Redirect to 127.0.0.1:Wireguard_Port

This would make your transition in and out of home WiFI seamless on WG side.

Hey, thanks for taking the time to help me.

What I mean is I keep both my wifi and 4g always on. The ideal scenario would be that when outside it connected using the 4G and once I get home it keeps the smartphone connected using the wifi (without having to turn off the VPN).

Well... these last couple of weeks is my first experience using opnsense. I'm not that used with its syntax yet.

Is the following what you're suggesting?

WAN    UDP    WG net    51825    WAN address    51825    127.0.0.1    51825    

Thank you for your interest.

I generally keep both the wifi and 4G up all time on my Android phone. The same goes with the VPN (with that kill switch "always on" option that Android provides).

So on this context If I'm at first using wifi everything works well, connected through the VPN, with low latency on pings, etc. If I turn off the wifi the link keeps up on the 4G and the VPN link keeps working (with the obvious change on the latency, considering I'm now connected on a slower link). The problem is that if I turn on wifi once again although it keeps connected the connection becomes slower (in fact even slower than the 4G) even when accessing other machines on my LAN and it only behaves as expected if I disconnect and reconnect the VPN on my smartphone. It's as if I was connecting from outside my LAN, not internally via my wifi.

I imagined that, based on what I've read so far (and now from your suggestion), either DNS split or NAT Reflection could solve my issue.

Could you give me a little more details and point me in the right direction on how I may implement it? I mean... I already enabled the corresponding options on OPNsense, but I have no idea about what to do now.

Hello,

I have two Wireguard interfaces. One as client to Mullvad VPN and the other as a server to a road warrior smartphone client. By reading the docs, googling and asking around I managed to make everything work.

Just one little thing missing that I don't know if is not possible or I'm lacking the knowledge to implement.

Thing is I enabled the VPN options "Always on" and "Block connections without VPN" on my phone, so that I can keep the VPN always up, no matter if I'm at home or outside, or using wireless or 4G. It kind of works, but I noticed that:

- If I'm home and using wireless everything works fine. If in order to test I turn the wireless off and turn on 4G I can't ping anymore, unless I disable and reenable the Wireguard connection on the phone.

- If I'm using 4G everything works (I can ping my other LAN machines, the Internet, etc) but If I turn on wireless the same thing happens. I can't ping no more and have to quckly disconnect and reconnect the Android Wireguard app.

I noticed that if I do what this guy suggests (split DNS) and works, but when I'm connected from wireless it acts as if I'm connected from outside (pings with higher latency, slow ssh connections, etc).

Someone suggested Hairpin NAT (or NAT reflect, that I believe is the same concept). I enabled the corresponding options on "Firewall -> Settings -> Advanced", but apart from that I have no idea about what to do.

So in short, is keeping the VPN always up on my smartphone and being able to connect both outside my LAN and behind my firewall possible to implement?

I'd appreciate any input from someone more experienced.