Messages

Apparently someone had the same issue and they could not figure out a solution. So the WireGuard implementation has been broken and will be broken for the foreseeable future in 24.1+. Oh well, I guess I'll keep using 23.7 indefinitely.

https://github.com/opnsense/core/issues/7364

Perhaps the gateway side has changed somehow too? Wireguard logs say routing: not a valid opt1 interface gateway address: 'missing'

That is correct since the wireguard gateway did not have an ip before, at least the <gateway_item> field in config does not have any.

Does 24.1 now require some ip for wireguard gateway, why? What the ip should be?
Thanks.

I tried again updating to 24.1 from 23.7. since I guess it makes sense to keep systems somewhat up to date.

I could not update to a newer version, it offered only 24.1.

The problem is still the same - internet stops working with 24.1.

Is there any simple guide on how to route internet traffic through vpn with opnsense? That is opnsense is running the wireguard client and connecting to an external server.

It requires if I understand right at least some kind of LAN and WAN firewall rules and a NAT rule as a basic minimum setup.

I got this working just fine on 23.7 but I don't understand why it does not work in 24.1. If anyone has a minimum working setup with the required firewall and Nat rules I would be happy.

Apparently my problem was that I updated the firmware. The setup just refused to work with the same settings, so I downgraded to an older one.

I today tried upgrading from OPNsense 23.7.6-amd64 to OPNsense 23.7.12_5-amd64 and this time the setup seemed to work well. I have no idea why that was so but I am glad the updates seem to work again, since I was hesitant to try to upgrade the system upgrade again.

I think I will let the 24 series bake in for a quite a while before attempting to jump to that.

I don't understand enough about networking. I think I understand what I want: my LAN traffic should communicate with Internet only via my paid VPN service. Communication directly with internet should not be allowed. Is this a feasible goal?

I am running the newest stable opnsense. I created a wireguard interface and peer and registered the wireguard key with my vpn provider. The wireguard "handshakes" but tells nothing further. I don't know if that means it's working or not or something else.

Pinging 1.1.1.1 from opnsense results in packet loss.


I have a WG1 interface. A WG1 gateway which is offline.

Hybrid outbound NAT for WG1 interface. It translates any LAN net traffic to any destination through the WG1 interface.

Firewall in LAN has out, source lan net, dest wan net, blocked. It has out, source lan net, dest WG1 gateway allowed.


WAN has in, source any, dest LAN net blocked. Any to WG1 net allowed.

WG1 firewall has out from any to any allowed.

I am not sure if all this is correct or wrong, and if I need something else or not. In theory it is simple - force all Internet traffic to go through my paid vpn. In practice it is very hard.

The WG1 gateway should probably work, but it does not work. I don't know why it's not online, or what prerequisites must be met to get it online. Is there some up to date guide on how to do this with the latest WG changes? Wireguard implementation in opnsense seems to be changing all the time.

Thanks.