1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Virtual private networks / Re: Unbound wireguard client to openvpn
« on: July 10, 2024, 05:06:19 pm »
I have 2 opnsense (primary and slave) where this tunnel appears, but a different IP range for the "Virtual Network".
When I check with the keyword "wg" (primary), the route 172.28.0.0/16 is not listed, but my secondary's route 172.29.0.0/16 is.
What I can't explain?
So I disabled the tunnel on the secondary and took its IP range 172.29.0.0/16 (Virtual Network) and put it on the primary.
The 172.29.0.0/16 range is indeed listed as "Allowed Address" on the WG side.
The ping from my WG peer comes out fine this time through the WG tunnel, so there's an improvement.
Since it goes through the tunnel, the ping appears in the Live View and is in "pass" status when I filter the Virtual IP of my OpenVPN client (172.29.0.6).
However, it doesn't reach the destination. I'm still looking for a solution.
Thanks for any help
When I check with the keyword "wg" (primary), the route 172.28.0.0/16 is not listed, but my secondary's route 172.29.0.0/16 is.
What I can't explain?
So I disabled the tunnel on the secondary and took its IP range 172.29.0.0/16 (Virtual Network) and put it on the primary.
The 172.29.0.0/16 range is indeed listed as "Allowed Address" on the WG side.
The ping from my WG peer comes out fine this time through the WG tunnel, so there's an improvement.
Since it goes through the tunnel, the ping appears in the Live View and is in "pass" status when I filter the Virtual IP of my OpenVPN client (172.29.0.6).
However, it doesn't reach the destination. I'm still looking for a solution.
Thanks for any help
3
Virtual private networks / Re: Unbound wireguard client to openvpn
« on: July 10, 2024, 04:01:36 pm »
The ping from my WG peer doesn't go out and goes through my local IP instead of through the WG tunnel. If I force the ping on the WG tunnel interface, it doesn't work either.
So no packet received on my host with the OpenVPN client (during tcpdump).
However, I can ping the WG peer from the OpenVPN client...
Does anyone have any ideas? Thanks in advance.
So no packet received on my host with the OpenVPN client (during tcpdump).
However, I can ping the WG peer from the OpenVPN client...
Does anyone have any ideas? Thanks in advance.
4
Virtual private networks / Re: Unbound wireguard client to openvpn
« on: July 10, 2024, 09:44:57 am »
Unique tunnel IP address WG, IPsec network and I have add the "Tunnel Network" OpenVPN.
5
Virtual private networks / Re: Unbound wireguard client to openvpn
« on: July 10, 2024, 09:08:39 am »
Thank you for your reply, unfortunately I had already tried it and I've just done it, but it doesn't change anything.
For IPSec I had the same problem, which was solved by mentioning my WG instance in the SPD section and creating an entry in SNAT using the IP of my gateway on the LAN side for translation.
https://forum.opnsense.org/index.php?topic=41108.msg201474#msg201474
For IPSec I had the same problem, which was solved by mentioning my WG instance in the SPD section and creating an entry in SNAT using the IP of my gateway on the LAN side for translation.
https://forum.opnsense.org/index.php?topic=41108.msg201474#msg201474
6
Virtual private networks / Unbound wireguard client to openvpn
« on: July 10, 2024, 08:32:06 am »
Hi,
I have a problem and can´t find any solutions.
Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------> OpenVPN (Tunnel Network : 172.28.0.0/16)
Part of my setup:
- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0 (used for my test)
- VPN > OpenVPN > Servers (Legacy)
OpenVPN configuration :
Tunnel Network : 172.28.0.0/16
Local Nets : 172.19.1.0/24
The connection is present (VIP : 172.28.0.6) and I have an "OK" status in "Connection Status".
Since Opnsense to VIP (OpenVPN) :
The ping is OK from Opnsense without specifying a source.
The ping is OK when specifying 172.19.1.253 (GW LAN) as the source.
Since WG Client to VIP (OpenVPN) :
The ping is KO, and does not go through the WG tunnel.
I tried to create a SNAT rule (Firewall > Automation > Source NAT) specifying 172.19.1.253 as the translation address, but there seems to be a route problem.
How can I specify that the OPNsense needs the Wireguard Net as additional local network on the OpenVPN connection?
Thank you in advance for your help.
I have a problem and can´t find any solutions.
Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------> OpenVPN (Tunnel Network : 172.28.0.0/16)
Part of my setup:
- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0 (used for my test)
- VPN > OpenVPN > Servers (Legacy)
OpenVPN configuration :
Tunnel Network : 172.28.0.0/16
Local Nets : 172.19.1.0/24
The connection is present (VIP : 172.28.0.6) and I have an "OK" status in "Connection Status".
Since Opnsense to VIP (OpenVPN) :
The ping is OK from Opnsense without specifying a source.
The ping is OK when specifying 172.19.1.253 (GW LAN) as the source.
Since WG Client to VIP (OpenVPN) :
The ping is KO, and does not go through the WG tunnel.
I tried to create a SNAT rule (Firewall > Automation > Source NAT) specifying 172.19.1.253 as the translation address, but there seems to be a route problem.
How can I specify that the OPNsense needs the Wireguard Net as additional local network on the OpenVPN connection?
Thank you in advance for your help.
7
Virtual private networks / Re: Inbound wireguard client to remote site connected with ipsec
« on: June 21, 2024, 09:02:31 am »8
Virtual private networks / Re: Unbound wireguard client to remote site connected with ipsec
« on: June 21, 2024, 09:01:54 am »
Thanks for your reply, the problem has been solved and it's thanks to you for pointing me in the right direction.
To solve the problem you need to :
Create a manual SPD in VPN > IPSEC > Security Policy Database :
Created a SNAT rule in Firewall > Automation > Source NAT :
Last question:
I specified a number (1) on the ReqID in order to apply the manual SDP entry (my WG network) on all remote sites/connections. However, if I select an entry in "Connection child", the manual SDP entry will only apply to one remote site/connection.
Does this number need to be specified in all connection children as a best practice? It works without specifying it.
To solve the problem you need to :
Create a manual SPD in VPN > IPSEC > Security Policy Database :
- Source network = IP WG Instance : 172.17.32.193/28
- Destination network : empty
Created a SNAT rule in Firewall > Automation > Source NAT :
- Do not NAT : Uncheck
- Interface : Ipsec
- Source address = IP WG Instance : 172.17.32.193/28
- Destination = Range IP Remote site IPSec : 10.70.38.0/23
- Translation = LAN GW : 172.19.1.253 (of the network specified in Local NETs in IPSec children)
Last question:
I specified a number (1) on the ReqID in order to apply the manual SDP entry (my WG network) on all remote sites/connections. However, if I select an entry in "Connection child", the manual SDP entry will only apply to one remote site/connection.
Does this number need to be specified in all connection children as a best practice? It works without specifying it.
9
Virtual private networks / Re: Unbound wireguard client to remote site connected with ipsec
« on: June 18, 2024, 02:58:58 pm »
Thank you for your help.
Context: NAT Forward is not present for Wireguard and Ipsec because they are on the Opnsense himself.
I have tried to add 172.19.1.0/24 (in source) manually in the SPD but the result is identical.
This SPD get added automatically :
Source Destination Tunnel endpoints
172.17.32.193/28[any] 10.70.38.0/23[any] 172.20.0.253->IP_Public_Remote_Site
IP "172.20.0.253" in the Tunnel is a second LAN but not the one mentioned in IPSEC.
Context: NAT Forward is not present for Wireguard and Ipsec because they are on the Opnsense himself.
I have tried to add 172.19.1.0/24 (in source) manually in the SPD but the result is identical.
This SPD get added automatically :
Source Destination Tunnel endpoints
172.17.32.193/28[any] 10.70.38.0/23[any] 172.20.0.253->IP_Public_Remote_Site
IP "172.20.0.253" in the Tunnel is a second LAN but not the one mentioned in IPSEC.
10
Virtual private networks / [SOLVED] Unbound wireguard client to remote site connected with ipsec
« on: June 18, 2024, 10:35:46 am »
Hi,
I have a problem and can´t find any solutions.
I am migrating from RouterOS to Opnsense, I have a problem where I want a client connected with wireguard to opnsense be able to access a remote site connected via IPSec.
Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------IPSec--------> remote Site (10.70.38.0/24)
Maybe someone have some tips for me.
Part of my setup:
- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0 (used for my test)
IPSec configuration :
Local Nets : 172.19.1.0/24
Remote Nets : 10.70.38.0/23
If I use traceroute since Opnsense with Hostname/IP : 10.70.38.56, Protocol : ICMP, Source address : 172.19.1.253 (GW LAN/Interface address) it works. The packet passes through the 2 public IPs (Local and Remote).
If I use traceroute since Wireguard client to remote site connected with ipsec don't work. Details :
traceroute to 10.70.38.56 (10.70.38.26), 30 hops max, 60 byte packets
1 172.17.32.193 (172.17.32.193) 10.994 ms 10.879 ms 10.855 ms
2 * * *
I tried to create :
The same behavior. I can´t reach the IP behind the ipsec tunnel.
Thank you in advance for your help.
Similar problem :
https://forum.opnsense.org/index.php?topic=41037.msg201152#msg201152
I have a problem and can´t find any solutions.
I am migrating from RouterOS to Opnsense, I have a problem where I want a client connected with wireguard to opnsense be able to access a remote site connected via IPSec.
Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------IPSec--------> remote Site (10.70.38.0/24)
Maybe someone have some tips for me.
Part of my setup:
- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0 (used for my test)
IPSec configuration :
Local Nets : 172.19.1.0/24
Remote Nets : 10.70.38.0/23
If I use traceroute since Opnsense with Hostname/IP : 10.70.38.56, Protocol : ICMP, Source address : 172.19.1.253 (GW LAN/Interface address) it works. The packet passes through the 2 public IPs (Local and Remote).
If I use traceroute since Wireguard client to remote site connected with ipsec don't work. Details :
traceroute to 10.70.38.56 (10.70.38.26), 30 hops max, 60 byte packets
1 172.17.32.193 (172.17.32.193) 10.994 ms 10.879 ms 10.855 ms
2 * * *
I tried to create :
- a "dynamic" gateway and disabled routing in the wireguard config.
- a static route and specify GW (172.17.32.193(LAN GW)) or 172.17.32.192(WG GW). (like on RouterOS)
- a rule NAT Outbound : Interface:WG0 Src address: :172.19.1.0/24 Dst adress:10.70.38.0/23 Transition :Interface address
The same behavior. I can´t reach the IP behind the ipsec tunnel.
Thank you in advance for your help.
Similar problem :
https://forum.opnsense.org/index.php?topic=41037.msg201152#msg201152
Pages: [1]