Messages

1

Virtual private networks / Re: MTU/MSS problem with Wireguard router

« on: September 02, 2024, 09:46:26 am »

I've already tried to do that, I went as low as 1280.
I've started with a fresh install, I've tried normalisation, nothing helped besides setting the MTU on the client.

2

Virtual private networks / MTU/MSS problem with Wireguard router

« on: August 25, 2024, 07:38:10 pm »

Hi, I've setup OPNsense 24.7.2 as a router as described here https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html.
This works great for my linux machines once I've set the Interface MTU to 1420 on the ISC DHCP server.
My Macbooks are not picking up the change and I can't use the router without setting the MTU manually from 1500 to 1420.

I am sure that I've done something wrong, could someone please point me in a direction.
The wireguard instance and the LAN interface do not have a MTU set. I've tried unsuccessfully.

3

Virtual private networks / Re: Can't connect to my own wireguard server

« on: August 25, 2024, 04:52:59 pm »

I was finally able to solve this issue.
You couldn't make this up but setting Allowed_IPs to 0.0.0.0/1 and 128.0.0.0/1 solved this for me.
I couldn't believe it so I started with a fresh install on another router with 0.0.0.0/0, was able to reproduce the problem, after switching to 0.0.0.0/1 + 128.0.0.0/1 the problem was gone, again.

4

Virtual private networks / Can't connect to my own wireguard server

« on: August 02, 2024, 10:12:35 am »

Hi all, so I somehow can't connect to my own wireguard server (I also can't connect to other servers but debugging is easiest when I control both endpoints) using OPNSense (24.7_9).
I've reinstalled opnsense, just changed the password, updated everything, added DNS servers, enabled the SSH server.
I know that I am missing something super tiny.
Could someone please point me to what I am doing wrong.

This configs works well on clients:

Code: [Select]

[Interface]
PrivateKey = IJGr<CLIENT_PRIV>wfyMUnQ=
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 3lpe2<SERVER_PUB>AJY1gWA=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 85.<SERVER_IP>:51820
PersistentKeepalive = 25
Here are my settings via the WebGUI.
Instances https://i.imgur.com/QyvxN5k.png
Peers https://i.imgur.com/xCobOc2.png
Status https://i.imgur.com/s9xJEZA.png

On the opnsense router I get

Code: [Select]

$ wg
interface: wg0
  public key: /DNH8z<CLIENT_PUB>zYFO9Xs=
  listening port: 42233

peer: 3lpe2<SERVER_PUB>AJY1gWA=
  endpoint: 85.<SERVER_IP>:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 1.01 KiB sent
  persistent keepalive: every 25 seconds
/DNH8z+ld<CLIENT_PUBLIC>YFO9Xs= really is the public-key off IJGrUs<CLIENT_PRIVATE>MUnQ= private key

tcpdump while enabling wireguard on opnsense, igb0 being my WAN interface.

Code: [Select]

# tcpdump -u port 51820 -i igb0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
....
<NOTHING>

When I do a tcpdump on the server (85.*.*.*) on port 51820 I do not get any connections. ens18 being the public interface.

Code: [Select]

$ tcpdump  -u port 51820  -i ens18
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
....
<NOTHING>

In the opnsense firewall Log I see this: https://i.imgur.com/Fdo2J1S.png
Should that be the private address or the WAN interface?

Do to the nature of wireguard it doesn't log anything, here is the log

Code: [Select]

2024-08-02T07:44:11 Notice  wireguard  wireguard instance wireguard02 (wg0) started
2024-08-02T07:44:11 Notice  wireguard  wireguard instance wireguard02 (wg0) can not reconfigure without stopping it first.

Establishing a wireguard tunnel from behind the opnsense router is working well and tcpdump shows a ton off packages, it's not DNS related as the wireguard server IP is hardcoded. So reaching the server isn't a problem, the latency is around 11ms with 0% packet loss.

What am I missing?