"
Hi everyone!
I recently setup wireguard VPN in opnsense based on this tutorial from the official docs https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
After everything have been setup I did some successful tests and called it a day.
However after a few weeks I notices some weird behavior, and I suspect that some traffic leaked on the default WAN gateway.
My setup differs a bit from the example setup of the tutorial. I choosed to have a dedicated vlan (torrent_interface) for the VPN instead of selecting a few privileged ips.
Interfaces:
torrent_interface
vpn_wginterface
wireguard peer and instance: same as the doc
torrent_interface net: 192.168.40.0/24
vpn_wggateway
monitor ip: 10.128.0.1
ip: 10.128.0.2
interface: vpn_wginterface
Outbound nat rule
(with reply-to set to vpn_wginterface)
Nat port forward rules
Rule for torrent_interface
Rule for vpn_interface
Floating rule
I did this test suite from https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/
Enable VPN
On VPN grouped machine navigate to ipleak.com
Ensure no IP's shown match your actual ISP provided IP ✅
On non VPN grouped machine navigate to ipleak.com
Ensure IP's shown match your actual ISP provided IP (DNS may or may not match) ✅
Disable VPN (Status -> OpenVPN)
On VPN grouped machine ensure you have zero internet access. No pings, no ability to do DNS queries, nothing. ❌
On non VPN grouped machine everything is normal ✅
Re-enable VPN
Everything works again as it did before you disabled the VPN. May take a minute for the states to resolve correct and internet access to fully return. ✅
(I did setup the Killswitch as advised in the tutorial from the official docs, and when the interface is disabled I can see some traffic from my vlan getting killed thanks to the tag set by the floating rule.)
The problems I detected
If I manually change the monitor IP of the vpn_wggateway AND/OR tick the option to make it appear down even after flushing firewall states:
- Nothing changes, torrent_net still has vpn access
If I disable the gateway:
- torrent_net can't access internet anymore(thanks to the killswitch I think), but still can do DNS queries
The firewall options that I think may induce this behavior
- Skip rule when gateway is down
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway. This option overrides that behavior and the rule is not created when gateway is down
So this means that if the gateway was down for a couple of seconds, traffic is routed through WAN ? If thats the case why its not mentioned in the VPN tutorial from the official docs ?
- Disable force gateway:
Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.
Since I can't change the default gateway of the torrent_interface, do I tick this rule ?
I ticked and unticked both of these options, and traffic still goes through WAN if vpn_wggateway is disabled (and get killed by the killswitch).
EDIT: If I tick both of these options, and vpn_wginterface is disabled, killswitch don't kick in, and torrent_interface traffic to internet is not working
My questions
- Why does VPN DNS resolution still works even when gateway is down ?
- Why does VPN still works even when gateway is down ?
- Why does VPN DNS resolution still works even when gateway is disabled ?
- The gateway of the torrent_net is set to WAN, why can I not change it ?
- Why can't I disable the automatic NAT rule for wan for a specific interface like torrent_net ?
- Why does port forwarding (on the vpn_wginterface) still works even when VPN gateway is down ?
- How am I sure that requests originating from the torrent_lan gateway address (192.168.40.1) is going through the correct gateway ? that is the vpn_gateway
EDIT2: I managed to fix the DNS by changing the nat rule I made to redirect all DNS request to the 10.128.0.1. I changed the filter rule association to NONE, then I created manually the rule to allow 53 on the 10.128.0.1, and I set the gateway to vpn_wginterface (previously with the automatic rule creation it was set to any). Now if I disable the vpn interface, DNS doesnt work anymore (as intended) . My theory is that before when interface for this rule was set to any, opnsense directly contacted the wireguard _instance ip (without going through the 10.128.0.1) so it got an answer , because the tunnel was still working)
This setup is really confusing to me, and I apologize in advance if the explanation of my setup is not very clear, I will be happy to clarify it.
Thank you for your help!
I recently setup wireguard VPN in opnsense based on this tutorial from the official docs https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
After everything have been setup I did some successful tests and called it a day.
However after a few weeks I notices some weird behavior, and I suspect that some traffic leaked on the default WAN gateway.
My setup differs a bit from the example setup of the tutorial. I choosed to have a dedicated vlan (torrent_interface) for the VPN instead of selecting a few privileged ips.
Interfaces:
torrent_interface
vpn_wginterface
wireguard peer and instance: same as the doc
torrent_interface net: 192.168.40.0/24
vpn_wggateway
monitor ip: 10.128.0.1
ip: 10.128.0.2
interface: vpn_wginterface
Outbound nat rule
| Interface | Source | Source Port | Destination | Destination Port | NAT address |
| vpn_wginterface | torrent_net | * | * | * | Interface Address |
Nat port forward rules
| Interface | Proto | Source Address | Source Ports | Destination Address | Destination Ports | NAT IP | NAT Ports | Description |
| torrent_interface | TCP/UDP | * | * | ! 10.128.0.1 | 53 (DNS) | 10.128.0.1 | 53 (DNS) | force dns from torrent to upstream vpn |
| vpn_wginterface | TCP/UDP | * | * | vpn_wginterface address | (torrent client port) | (torrent client ip) | (torrent client port) | Port forward for torrent clien |
Rule for torrent_interface
| Direction | Source | Port | Destination | Port | Gateway |
| In | * | * | 10.128.0.1 | * | vpn_wggateway |
| In | torrent net | * | ! RFC1918_Networks | * | vpn_wggateway |
| In | torrent net | * | torrent net | * | * |
| In | * | * | 10.128.0.1 | 53 (DNS) | * |
Rule for vpn_interface
| Direction | Source | Port | Destination | Port | Gateway |
| IN | * | * | (torrent client ip) | (torrent client port) | * |
Floating rule
| First match | Source | Source Port | Destination | Destination Port | Gateway |
| No | vpn_wginterface_address | * | !vpn_wginterface_net | * | vpn_wggateway |
I did this test suite from https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/
Enable VPN
On VPN grouped machine navigate to ipleak.com
Ensure no IP's shown match your actual ISP provided IP ✅
On non VPN grouped machine navigate to ipleak.com
Ensure IP's shown match your actual ISP provided IP (DNS may or may not match) ✅
Disable VPN (Status -> OpenVPN)
On VPN grouped machine ensure you have zero internet access. No pings, no ability to do DNS queries, nothing. ❌
On non VPN grouped machine everything is normal ✅
Re-enable VPN
Everything works again as it did before you disabled the VPN. May take a minute for the states to resolve correct and internet access to fully return. ✅
(I did setup the Killswitch as advised in the tutorial from the official docs, and when the interface is disabled I can see some traffic from my vlan getting killed thanks to the tag set by the floating rule.)
The problems I detected
If I manually change the monitor IP of the vpn_wggateway AND/OR tick the option to make it appear down even after flushing firewall states:
- Nothing changes, torrent_net still has vpn access
If I disable the gateway:
- torrent_net can't access internet anymore(thanks to the killswitch I think), but still can do DNS queries
The firewall options that I think may induce this behavior
- Skip rule when gateway is down
By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway. This option overrides that behavior and the rule is not created when gateway is down
So this means that if the gateway was down for a couple of seconds, traffic is routed through WAN ? If thats the case why its not mentioned in the VPN tutorial from the official docs ?
- Disable force gateway:
Outgoing packets from this firewall on an interface which has a gateway will normally use the specified gateway for that interface. When this option is set the route will be selected by the system routing table instead.
Since I can't change the default gateway of the torrent_interface, do I tick this rule ?
I ticked and unticked both of these options, and traffic still goes through WAN if vpn_wggateway is disabled (and get killed by the killswitch).
EDIT: If I tick both of these options, and vpn_wginterface is disabled, killswitch don't kick in, and torrent_interface traffic to internet is not working
My questions
- Why does VPN DNS resolution still works even when gateway is down ?
- Why does VPN still works even when gateway is down ?
- Why does VPN DNS resolution still works even when gateway is disabled ?
- The gateway of the torrent_net is set to WAN, why can I not change it ?
- Why can't I disable the automatic NAT rule for wan for a specific interface like torrent_net ?
- Why does port forwarding (on the vpn_wginterface) still works even when VPN gateway is down ?
- How am I sure that requests originating from the torrent_lan gateway address (192.168.40.1) is going through the correct gateway ? that is the vpn_gateway
EDIT2: I managed to fix the DNS by changing the nat rule I made to redirect all DNS request to the 10.128.0.1. I changed the filter rule association to NONE, then I created manually the rule to allow 53 on the 10.128.0.1, and I set the gateway to vpn_wginterface (previously with the automatic rule creation it was set to any). Now if I disable the vpn interface, DNS doesnt work anymore (as intended) . My theory is that before when interface for this rule was set to any, opnsense directly contacted the wireguard _instance ip (without going through the 10.128.0.1) so it got an answer , because the tunnel was still working)
This setup is really confusing to me, and I apologize in advance if the explanation of my setup is not very clear, I will be happy to clarify it.
Thank you for your help!
