OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of n-dolce »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - n-dolce

Pages: [1]
1
23.7 Legacy Series / Re: Wireguard over Mullvad (VPN) does not work anymore after upgrade to 23.7.4
« on: September 17, 2023, 06:38:35 pm »
Quote from: newsense on September 16, 2023, 02:32:40 pm
Check server status. If you touched our previously working configuration it's better to start over. There are no issues in 23.7.4 to be worried about here.

https://mullvad.net/en/servers
When you change how the software works and break working configurations along the way, I would call this an issue.

Quote from: opn69a on September 16, 2023, 07:07:43 pm
I use Mullvad as well and am assuming you're running into the same issue as me. If so... It's actually the upgrade to 23.7.3 that killed it, but OPNsense didn't reboot during that version like it did for 23.7.4, so it was kind of broken without knowing.

I got my VPN itself working via my latest post here: https://forum.opnsense.org/index.php?topic=35972.0
However, I'm still running into the issue where the firewall itself is not being routed through the VPN. This is likely due to the route that I deleted, mentioned at the end, but I'm not sure. I've got a separate thread here, where I'm trying to figure this out still: https://forum.opnsense.org/index.php?topic=35977.0

Note that the solution to the first link is probably mostly a hacky-version of it. TL;DR to it: I followed the Mullvad instructions from the pfsense+wireguard, but also checked the "disable routes" checkbox in the wireguard server settings (So it'd work on reboot).

Basically, it appears that when wireguard got moved from a software module over to the kernel, it took the changes for gateway configuration OR the routing table with it, resulting in it not working (i.e. killswitch was being hit so VPN "didn't work")... That's my current theory anyway. Perhaps the `0.0.0.0/0` allowed IPs is not a solution anymore for opnsense? No idea, lol. Just a bunch of messy theories I've got going in my head at the moment.
Thank you. I saw your thread earlier and after reading the pfsense guide I got it working as well. First I needed to manually add a gateway for IPv4 as instructed for pfsense (IP for the GW is 10.64.0.1, which is the IP of Mullvads IPv4 proxy) and then modified the "allow LAN to anywhere"-rule to use the gateway. It works fine now, I think I will be able to make it work from here. As a helpful note, if you are looking to make IPv6 work as well you can get the IPv6 address for the IPv6 gateway with the following snipped.
Code: [Select]
curl https://ipv6.am.i.mullvad.net --socks5-hostname 10.64.0.1

2
23.7 Legacy Series / Wireguard over Mullvad (VPN) does not work anymore after upgrade to 23.7.4
« on: September 16, 2023, 12:46:18 pm »
Hi,

I previously followed the instructions in the official documentation to let all traffic from both the firewall as well as all clients exit through a wireguard VPN with Mullvad. Of the two available plugins for wireguard I used the version integrated into the kernel.

I setup the connection in the plugin, created an interface for the wireguard connection and setup an outbound NAT rule. This was originally very easy to setup and worked on the first try until I did the most recent update. After the update and a subsequent reboot the connection stopped working and I have been unable to set it up again. At first I though it might be a DNS problem, but neither the firewall nor the clients can even ping any outside address.

I really hope someone with more experience can tell what has changed (I found nothing helpful in the release notes) or what I need to change in this setup to make it work.

Thank you.

3
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 08:54:42 pm »
It is the solution for the connection loss at least, routing is still somehow broken.

Computer 1 IP is 192.168.1.220, computer 2 IP is 192.168.1.160. When I SSH from computer 1 to computer 2, computer 2 still says I am connecting from 10.1.114.242. Computer 2 still has no internet connectivity.

4
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 08:34:40 pm »
I was able to fix the instability with connection loss. I was forcing 2.5Gbits speed and it seems the cable is not up to it. It seems it wend under my radar since my connections are mostly TCP.

5
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 08:08:54 pm »
Under System -> Routes -> Status, this is the entry my SSH server on computer 2 says I am coming from when connecting via SSH

Code: [Select]
10.1.114.242 link#11 UHS NaN 16384 lo0 Loopback

6
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 08:01:37 pm »
I am unsure, but it seems something is wrong with the routing. Computer 2 says that I am connected from a 10.* address, that my VPNs uses for example, it seems I am not coming from a LAN address.

7
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 07:50:18 pm »
I set the MTU to 1500 on all OPTx interfaces, the bridge does not seem to have an option for it. Still the same, sometimes up to 1Gbps then again nothing for a couple seconds.

8
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 07:24:39 pm »
I just managed to get SSH to also work. So the problem seems to be that the connection is breaking every now and then. When I run iperf3 I sometimes get 200 to 500 mbps and sometimes 0 mbps for a couple seconds. Hardware offloading is already deactivated as far as I can see, and computer 2 still cannot access the internet.

9
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 07:18:38 pm »
Quote from: clarknova on April 19, 2023, 06:10:25 pm
Quote from: n-dolce on April 19, 2023, 05:55:24 pm
While computer 1, which is connected to OPT0, can go into the internet, computer 2 can not. Computer 2 can connect to the firewalls web UI tough.

This makes me think the outbound NAT configuration could be wrong. Can you attach a screen shot of the outbound NAT settings?
It would explain why computer 2 is not able to access the internet, but it would not explain why I can't SSH from computer 1 to computer 2. Okay so running iperf3 between the 2 computers works, SSH is still a no-go.

I attached the NAT configuration to this post.

10
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 05:55:24 pm »
I initiated a ping between both computers and run
Code: [Select]
apr -a after that on both.

On computer 1:
Code: [Select]
_gateway (192.168.1.1) at xx:xx:xx:xx:xx:xx [ether] on enp37s0f0
? (192.168.1.160) at xx:xx:xx:xx:xx:xx [ether] on enp37s0f0

On computer 2:
Code: [Select]
_gateway (192.168.1.1) at xx:xx:xx:xx:xx:xx [ether] on enp0s13f0u4u2
? (192.168.1.220) at xx:xx:xx:xx:xx:xx [ether] on enp0s13f0u4u2

While computer 1, which is connected to OPT0, can go into the internet, computer 2 can not. Computer 2 can connect to the firewalls web UI tough.

11
General Discussion / Re: Creating LAN bridge does not work as intended.
« on: April 19, 2023, 04:03:19 pm »
For the software stack:
OPNsense 23.1.5_4-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

12
General Discussion / Creating LAN bridge does not work as intended.
« on: April 19, 2023, 04:02:42 pm »
Hello everyone,
I followed the instructions here the create a LAN bridge: https://docs.opnsense.org/manual/how-tos/lan_bridge.html. I made sure to set the tunables as instructed and to be sure did the reboot. LAN is assigned the newly created bridge0 interface and bridge0 consists of OPT0,OPT1 and OPT2, while WAN is assigned to the fourths interface.

My computer is connected to OPT0, another computer connected to OPT1. I can send a ping from my computer on OPT0 to the computer on OPT1, but I can not use SSH or access a webinterface running on port 80 and port 443. I have checked that all my firewall rules refer to and are applied to the LAN interface, not and of the OPTx interfaces.

What am I doing wrong here, is there anything else I need to pay attention too? Thank you.

13
General Discussion / Re: Need advice for non-standard Wireguard setup
« on: November 08, 2022, 08:41:44 pm »
If this helps anyone I tried something different and followed the guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

I can (somewhat) connect from the network behind the OPNSense router to the outside world, at least it seems websites which DNS information has been cached load fine. Surfing to other websites, like yahoo.com for example result in a timeout. So something is afot with DNS here.

14
General Discussion / Need advice for non-standard Wireguard setup
« on: November 07, 2022, 08:30:05 pm »
Hi there people,

I created an account because since a couple of days I have been biting my nails trying to get a non-standard Wireguard setup to work. There are a lot of tutorials online explaining the so calles Road-Warrior-Setup where people connect from remote to the Wireguard server on a router, or site-to-site setup as well as simple uses of Wireguard as a VPN service. I come from a modest developer background and have prior experience only with basic home routers. So I hope somebody on here can guide me in the correct direction what to do with the many options that OPNSense offers.

I rented a simple small cloud computer as a central point for a Wireguard setup. I configured the Wireguard interface on the server with the usual two lines of allowing forwaring of packages with the PostUp and PostDown options and added three peers. One is my phone, one is my laptop and the last one is supposed to be my OPNSense router.

In OPNSense I configured the interface (under the local tab) and a corresponding endpoint. The current state is that my laptop, my phone as well as all devices in my home network can ping and talk to each other using the IP addresses I assigned to them. The laptop and phone also use the central cloud server as an exit point (VPN functionality). However my OPNSense router does not, which is obvious given the fact that the endpoint only has the 192.168.2.0/24 subnet as allowed IPs. Those IPs are the one I assined to devices on the other site of the tunnel.

So I though I add 0.0.0.0/0 to the endpoint to route all traffic there. When I do this devices in my home network can send pings to the outside, but apart from that all this does is break the setup. Remote devices connected directly to the cloud instance can not communicate into my home network anymore, and while the home network can ping the remote devices it seems that DNS resolution into the internet is completely messed up. Pings into the internet still work though.

OPNSense has so many nobs to turn, and some online tutorials use routes and network card assignments that I had no luck in figuring out what I need to do to use the cloud server as an exit point for my home network as well. I am 75% there but for the last 25% I kindly request your assistance.

P.S. In case my setup is not clear I have attached some images.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2