Messages

1

Virtual private networks / Re: ProtonVPN + Wireguard + NAT-PMP

« on: August 15, 2024, 07:16:13 am »

I was able to set up ProtonVPN Port Forwarding, but it's by using the manual steps listed for MacOS on the ProtonVPN site, https://protonvpn.com/support/port-forwarding-manual-setup/#macos.

I'm on Windows, but since Python is platform agnostic I was able to leverage the same commands for setting the Port from my PC, and I just run the loop command whenever I want to Port Forward.

For firewall setup, I added a NAT Port Forward rule from the VPN_WAN interface to my PC, and then set a local tag called "PORT_FORWARD_VPN". Then, I added a Floating Rule with Match local tag set to the previously mentioned tag, and also reply-to set to the VPN gateway (I was having issues with inbound traffic from the VPN having reply-to go out the WAN gateway).

Hey @ssalvato

I got around to testing this out, I can't seem to get it to work. Would you mind taking a few snapshots of how you got your floating rule setup? Did you follow the wireguard roadrunner opnsense guide? Assuming you are using wireguard?

Thanks

2

Virtual private networks / ProtonVPN + Wireguard + NAT-PMP

« on: March 07, 2024, 06:23:24 pm »

Hi all,

I've read through several topics in this forum about setting up ProtonVPN in OPNSense, however none of them seem to go over any procedures to get NAT-PMP port forwarding setup. Has anyone successfully set up ProtonVPN's wireguard config in OPNSense and also got automatic port forwarding working with it? I tried to leverage UPNP to automatically update the port forward in OPNSense, but the forward only seems to work locally within my network (eg. if I tried from my local network to hit the public proton IP, it works), but if trying to publically connect to my forwarded port using the pubic address assigned to my Proton wireguard interface it times out as if it's not being NAT'd properly at the firewall.

Any assistance is appreciated.

Thanks

3

Virtual private networks / Wireguard roadwarrior setup on dual stack leaks IPV6

« on: January 25, 2024, 08:53:17 pm »

Hey all,

I'm currently running a dual stack setup. I followed the wireguard roadwarrior setup found here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html ... everything is working as expected, but if a website requests my IPV6 address clients that are apart of my wireguard alias will leak IPV6 requests out my IPV6 WAN interface, and not out the tunnel. I use ProtonVPN as a provider which does not support IPV6 on the tunnel (at least to my knowledge).

The tutorial doesn't really mention how to fix this, but primarily only if I were to use a dedicated IPV6 connection. Though, I'm sure that others have ran into this same issue, does anyone know how I can set the killswitch in a way much like if the client decides to go out the v6 interface that it gets blocked, kinda like the NO_WAN_EGRESS part of the tutorial? I realize this might mean I have to either give all my local v6 addresses the same treatment or start assigning the hosts I want to force out the tunnel dedicated v6 addresses, but thought I would get an idea of how others go about doing it.

Thoughts?

Thanks in advance.