"Quote from: nero355 on May 14, 2026, 03:45:22 PMIf possible you should avoid Reverse NAT a.k.a. NAT Loopback anyway, so maybe a good moment to consider moving away from it ?!Why? Genuine question.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
26.1, 26,4 Series / Re: [26.1] NAT reflection not working
May 14, 2026, 11:56:52 PM #2
Virtual private networks / Re: Always On VPN (Wireguard) Mobile Phone Clients - Connection issues internally
May 10, 2026, 09:34:28 PMQuote from: keeka on May 10, 2026, 08:55:25 PMIIRC that was a consideration when I set up openvpn prior to trying wireguard. It was a while ago and my memory is not great but I do remember deciding against using NAT reflection anywhere after reading the caveats in the docs. Preferring instead to use split DNS or in this case explicit port forwards.
I'm not aware of any drawbacks for this use, but choose whichever option is easier to implement for your use case.
#3
Virtual private networks / Re: Always On VPN (Wireguard) Mobile Phone Clients - Connection issues internally
May 10, 2026, 04:19:07 PM #4
26.1, 26,4 Series / Re: Wireguard VPN
April 09, 2026, 01:24:10 PM
Edit Peer:
Public key - you can use the one from the generator but just copy&paste it manually
Allowed IPs - 10.10.10.4/32 (peer address)
Endpoint Address - leave empty (set on the client/peer instance, not in OPNsense)
Endpoint port - leave empty (set on the client/peer instance, not in OPNsense)
Keepalive - leave empty (set on the client/peer instance, not in OPNsense)
Public key - you can use the one from the generator but just copy&paste it manually
Allowed IPs - 10.10.10.4/32 (peer address)
Endpoint Address - leave empty (set on the client/peer instance, not in OPNsense)
Endpoint port - leave empty (set on the client/peer instance, not in OPNsense)
Keepalive - leave empty (set on the client/peer instance, not in OPNsense)
#5
26.1, 26,4 Series / Re: Wireguard VPN
April 09, 2026, 11:48:57 AM
Doing it manually is probably the best option.
I had no previous experience with WireGuard before setting it up in OPNsense and have managed to set up both S2S and Road Warrior links without much issue. It's not the most intuitive process in some cases, but it shouldn't be too much of a problem. You're probably 90% there and just missing some crucial step.
I would delete the current WG config and follow this guide: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
Quote from: leony on April 09, 2026, 11:20:22 AMPs: Is Open VPN setup a less painful process? Any guides? I have a very simple setup as you have seen from the images, all I want is to have VPN access to the local network and connect to the internet as well once VPN is established.
I had no previous experience with WireGuard before setting it up in OPNsense and have managed to set up both S2S and Road Warrior links without much issue. It's not the most intuitive process in some cases, but it shouldn't be too much of a problem. You're probably 90% there and just missing some crucial step.
I would delete the current WG config and follow this guide: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
#6
26.1, 26,4 Series / Re: Wireguard VPN
April 09, 2026, 10:47:36 AMQuote from: leony on April 09, 2026, 10:30:02 AMPlease see attached. I am having trouble adding peer though using peer generator. Without presssing store text, it never saves (but it is already ticked). When I press, the keys change. When I finally save, endpoint info does not appear on the peer, which I need to add manually again. Not sure if these are known bugs for version 26.1.2
It's probably not a bug, the User Interface of the Peer generator is just plain terrible and counterintuitive.
QuoteWhen I am connected to the LAN and turn on wireguard, handshake is done however from outside there is no handshake.Are you trying to connect to the WireGuard while the client is inside the local LAN or from an external network?
Have you tried lowering the MTU as meyergru suggested?
Disabling/reenabling WireGuard?
EDIT: meyergru is right, you have the source/destination reversed in the latest screenshot compared to your initial PDF.
#7
Virtual private networks / Re: Wireguard VPN on mobile when inside LAN
March 21, 2026, 04:49:08 PM
You need to set up NAT reflection :
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Alternatively, you could use WG Tunnel and have it automatically disable the VPN while on selected WiFi:
https://github.com/wgtunnel/android
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Alternatively, you could use WG Tunnel and have it automatically disable the VPN while on selected WiFi:
https://github.com/wgtunnel/android
#8
26.1, 26,4 Series / Re: Can't connect to some sites
February 25, 2026, 05:04:06 PMQuote from: Ansio on February 25, 2026, 04:58:53 PMThe only thing we have done is set it up to use a VPN.Are connection problems while on VPN? What VPN? Same if it's disabled?
#9
Virtual private networks / Re: Wireguard works only after firewall rules reload
February 24, 2026, 09:20:18 AM
Possibly related to this?
#11
26.1, 26,4 Series / Re: Issues with OPNsense on VM in Proxmox on Fujitsu S920
February 06, 2026, 03:50:28 PMQuote from: kubatron on February 06, 2026, 08:57:46 AMI forgot mention that on the screeen from Proxmox -> pve -> Network , there is no setup any IP and gateway on the vmbr1 (VLANs_ETH0) - I setup IP and gateway for VLANs_ETH0 on the OPNsense and on WAN the same, so only is setup on the MAGMT_ETH1 setup 192.168.1.178/24.
This is confusing. You should only have IP and gateway on vmbr2 MAGMT (and not the same as LAN 192.168.1.1/24, as others have said), leave the other two blank.
It is also not clear how many DHCP servers you have on the network.
Is the TP Link SG108PE port towards Fujitsu S920 set up as trunk?
How are your interfaces set up in OPNsense?
#12
25.7, 25.10 Legacy Series / Re: Wireguard wrt NAT.
August 14, 2025, 10:30:20 AM #13
Tutorials and FAQs / Re: [Tutorial] - How to configure fq_codel for comcast to help bufferbloat / QoS
July 27, 2024, 09:10:56 AMQuote from: Seimus on July 22, 2024, 11:50:23 AM
For FQ_C bad performance or problems during slow/new start are usually caused by two reasons ECN & limit.
What is the final suggestion on ECN enable/disable? Resources, manuals, guides and forum posts are inconsistent regarding this. Some say to enable both for download and upload, some to disable it for upload. OPNsense guide isn't quite clear if it should be enabled or disabled for upload.
What does slow start refer to exactly and is there an easy way to test it?
Thank you!
#14
Virtual private networks / Re: Wireguard to home lan DNS issues
February 13, 2024, 12:17:59 PM #15
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
November 26, 2023, 08:21:16 PMQuote from: Tschabadu on November 26, 2023, 12:09:57 PM
Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.
I've had issues with Quad9 DoT and DNSSEC, too. They explicitly say to disable it in their Pfsense guide:
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/
Not sure why it's not mentioned for Opnsense.
