Messages

[relation]

I hope this does not add more confusion, but I do not think this is a completely simple issue as I think pseudonym3k has shown many valid points. It is a little complex. I do not understand every aspect of DNS, in relation to Kea, Unbound and DNSmasq, but trying to learn. But I do understand DNS, especially from a ms perspective. There is yet a fourth variable of "System: Settings: General:  DNS servers". And there is the complexity of disabling ISC correctly. So you are dealing with at least 4 variables, and one must decide on the strategy to use.

Personally, I started down the road of migrating from ISC to DNSmasq. But very quickly decided I did not like the combination of DHCP and DNS (not recursive) within DNSmasq. I do like that Kea = DHCP and Unbound (recursive) = DNS. In my mind, very simple and effective. [BTW, "System: Settings: General:  DNS servers" is blank. I use Cloudflare DoT, within Unbound, NOT my ISP DNS].

I guess I can only describe how my setup has met my requirements, and then see if it matches another user.
"Services: Dynamic DNS" = dynamic wan ip resolution, if the ISP changes my wan ip.
"Services: Unbound DNS: DNS over TLS" = security (without pi-hole, ad-guard, etc.)
"Services: Kea DHCP: Kea DHCPv4 AND v6" = Add static reservation for local hostname resolution does work (AFTER a restart of Unbound)

But there is this issue of MY statement of "AFTER a restart of Unbound" is in conflict with pseudonym3k comment "all sites are immediately found by DNS name again".
When I went through this exercise, one had to be very precise in terms of what was disabled or enabled and what service was restarted, and when. For example, if I did not restart Unbound at the right moment, local hostname resolution would fail. If I had to go through a fresh install again, I think I could do it, but no guarantees I could get it right on the first try.

So again, if you take actually 7 variables into account, and decide on a plan, although complex, the end result is rewarding.
ISC - disabled? correctly?
"Services: Dynamic DNS"
"System: Settings: General:  DNS servers" - blank?
Kea versus DNSmasq (one or the other, not both) (If DNSmasq, is port forward set correctly to 5353?)
Unbound - all settings.
"Services: Router Advertisements" (IPv6)
(someone may argue the order of this list, which would be welcome)

I think pseudonym3k brought up a real world experience. Again, hope this helps and does not add more confusion.

One afterthought. Please do not use a common address of 192.168.1.0/24 for your LAN. Needs to be more unique, in my opinion. Not implying this has anything to do with the topic, just a suggestion.

Is there a firewall service active on the windows workstation? Do you see anything in:
Firewall: Log Files: Live View

By "DNS name", do you mean local hostname? And you are using ping to test? Running "ipconfig /all", have you confirmed the client is using the local ip of the router for DNS?

I use Unbound and Kea only. To guarantee local hostname resolution (IPv4 and 6), I add a reservation for only the machines I need to resolve. Then, I just restart the Unbound service once and it works.

"Register ISC DHCP4 Leases" is disabled, as well as the ISC service. Attached are the Unbound settings.

Your RTT looks very high. My value is less than 20ms. High WAN Traffic, see "Reporting: Health" can cause RTT to go up. What where the values from OpenWRt?

In your Client config file, did you add "DNS = ..."? The Peer generator allows for this entry as well. You can also add a search domain such as:
"10.10.1.1, internal"
Not tested in generator, but works on Client config file.

Yes, create a normalization rule.

I noticed the same issue and the workaround was to retry after the error and carefully move closer to or away from the image very slowly. It took a lot of patience.  I downloaded the png image and wondering if there is am issue with resolution. I tried looking for the code that generates the image, but no luck. If someone could point me to it, I would be interested to look at it.

Firewall: Rules [new] work great, and since this is a new setup, definitely use 'new'. The docs just need to be updated, at some point. No rules are created automatically. Also, this might be useful?
wg

EDIT: By creating a group called "webui", and then choosing all of the desired privileges from the drop down, was much easier than changing 148 items in System: Access: Privileges. Then assign your new user to the group and the effect is instantaneous.

Excellent, thank you again. Also, System: Access: Privileges worked really well. Adjusting the look and feel of the Web UI is quite valuable.

Yes, thank you for suggesting that. Currently, the menu.xml files are adjusted, which will be overwritten on updates and does nothing to prevent access to a hidden service if you know the full URL. I will give your suggestion a shot. It does sound more correct.

Just in case you need another opinion. Your last favorite option looks good, however an alternative might be to hide sections, especially under services. One bit of logic on this, is that it preserves the overall flow of the entire router path and grouping. Hard to explain, but Lobby/Reporting/etc leads me quickly to the more granular area. By hiding sub-objects, such as a particular service that will not be used, means less reading once you are in that section. Just a thought.
And can items under favorites have a custom order?

[, internal]

In addition to the answer above, here is what is working on my side, with Wi-Fi connected or not. I do get a delay to one particular service on the LAN, but it is an unusual service.

Following this, Road Warrior, using Step 4(a).

Code Select Expand

Interfaces: [wg0] = true

And this for fdxx...  ULA Generator

For "Instance", set:

Code Select Expand

Tunnel address =
10.10.1.1/24  (different than LAN)
fdxx:xxxx:xxxx::1/64  (unique to LAN) (starts with fd, not fe, see ULA above)

In config on Peer GENERATOR:

Code Select Expand


Endpoint: As you have already, vpn.domain

Allowed IPs:
x.x.x.x/24 (LAN)
10.10.1.1/24 (WG)
fdxx:xxxx:xxxx::/64
[ISP Prefix]::/64  (not sure if this is required)

Address
10.10.1.2/32
fdxx:xxxx:xxxx::2/128

DNS: fdxx:xxxx:xxxx::1

Firewall: Rules [new]

Code Select Expand

Description: WG_FW_Rule
Invert: Unchecked
Interface: WAN
Quick: Checked
Action: Pass
Direction: in
Version: IPv4+IPv6
Protocol: UDP
Invert Source: Unchecked
Source: any
Source Port: any
Invert Destination: Unchecked
Destination: "WAN address"
Destination Port: 51820


Code Select Expand

Description: WG_Router_Rule_wg0
Invert: Unchecked
Interface: wg0
Quick: Checked
Action: Pass
Direction: in
Version: IPv4+IPv6
Protocol: any
Invert Source: Unchecked
Source: "wg0 net"
Source Port: any
Invert Destination: Unchecked
Destination: "LAN net", "wg0 net"
Destination Port: any

Firewall: Settings: Normalization

Code Select Expand

Description: "WireGuard MSS Clamping v4-v6"
Interface: wg0
Direction: any
Protocol: any
Source: any
Source Port: any
Destination: any
Max mss: 1360

Turn logging on everywhere and the use: Firewall: Log Files: Live View

In the earlier post, I meant to say "Allowed IPs", not "Endpoint address". In the setup above, I am not routing all traffic, just LAN. Also, DNS was important. For example, I could not simple resolve 'host', 'host.internal' was required. There might be a setting for this in the config, but not sure.

Edit: to resolve host, change DNS to: DNS: fdxx:xxxx:xxxx::1, internal

Edit 2: NAT reflection was not required on my side.

On my android phone, I noticed this as well. There was a preference to 'allow other apps to trigger wireguard', or something to that effect. I believe this defaulted to "on". It is off now, and have not noticed an auto connect. In my case, I prefer to manually activate when away.
If you lose functionality on LAN, you need to look at how "Endpoint address" is configured, on the phone. Does it route all traffic, or just LAN traffic?

OK, give me some time to look at this.

@thebraz. Hope I am not intruding here, but if I could suggest looking here first:
https://docs.opnsense.org/manual/nat.html

In my system, to gain a better understanding of legacy Rules and Rules[new], I created, from scratch the rules required for legacy. All worked correctly. Note, if you try this step, to avoid all confusion, you need to make sure that you delete all rules and work with either legacy OR Rules[new]. Not that they cannot co-exist, but it will just make it more clear.

Then, after deleting these rules, created them under Rule[new], but with 2 versions:

1. Edit DNAT Rule: Options: Firewall rule: Manual
This is explained in the docs under the section "Filter rule association"
Using "Manual" requires a second rule under WAN to allow the traffic to hit the DNAT rule.

2. Then, I deleted both rules and created one rule in DNAT, setting association to "Register rule". It works correctly.

I switched back to option 1, even though it is 2 rules, only because it gives me better visibility from the GUI.