1
Virtual private networks / Wireguard still not on WAN alias IP
« on: November 25, 2022, 01:53:15 am »
I thought I'd post here, in case anyone else runs into this issue. I know bits of the puzzle are documented but not quite like this.
For ref, I'm on 22.7.8 amd64.
I've had problems with OpenVPN and the site-to-site VPN which also seems relating to using an Alias IP address on the WAN interface.
I have a WAN int IP assigned by the ISP (by DHCP on the ethernet). I also have a public /24 range that I usually use to spread things out a bit, mostly for logging purposes and not cramming everything on a single IP address. For web hosting that seems to work on Opnsense... but not on the VPN side of things.
Now, setting up Wireguard for clients (to get them off CloudFlare) I thought I'd use the same Alias IP address I use for my other VPNs... but have now confirmed that does not work on Opnsense. For reference, the OpenVPN WAN-alias-IP works just fine on pfsense, before I moved off it.
So, setup Wireguard as per https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense guide.
Getting client (iOS and MacOS test units) giving me green lights on the client but not fully handshaking.
I set the IP (and associated WAN Int FW rule) to the WAN interface 'real' IP address (ie one given by DHCP by ISP) and without any other changes, the clients start working.
(And I'm still having dodgy stuff with OpenVPN... but that's slightly off topic.)
Happy to answer any queries or try things, in order to help debug what's happening in the lower levels of the kernel/code. I don't expect a 'fix' to magic out of nowhere but I do want to assist the maintainers where I can... so please drop me a line if you want more detail.
For ref, I'm on 22.7.8 amd64.
I've had problems with OpenVPN and the site-to-site VPN which also seems relating to using an Alias IP address on the WAN interface.
I have a WAN int IP assigned by the ISP (by DHCP on the ethernet). I also have a public /24 range that I usually use to spread things out a bit, mostly for logging purposes and not cramming everything on a single IP address. For web hosting that seems to work on Opnsense... but not on the VPN side of things.
Now, setting up Wireguard for clients (to get them off CloudFlare) I thought I'd use the same Alias IP address I use for my other VPNs... but have now confirmed that does not work on Opnsense. For reference, the OpenVPN WAN-alias-IP works just fine on pfsense, before I moved off it.
So, setup Wireguard as per https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense guide.
Getting client (iOS and MacOS test units) giving me green lights on the client but not fully handshaking.
I set the IP (and associated WAN Int FW rule) to the WAN interface 'real' IP address (ie one given by DHCP by ISP) and without any other changes, the clients start working.
(And I'm still having dodgy stuff with OpenVPN... but that's slightly off topic.)
Happy to answer any queries or try things, in order to help debug what's happening in the lower levels of the kernel/code. I don't expect a 'fix' to magic out of nowhere but I do want to assist the maintainers where I can... so please drop me a line if you want more detail.