Topics

I regrettably had to move away from OPNsense to better use WireGuard on my router. At that time, the great work being done on (what was then named) os-wireguard-devel was being hindered by an upstream bug in FreeBSD. This was causing kernel panics and crashes when running WireGuard on UFS systems like OPNsense. That's the best of my recollection, anyway.

In the meantime, I wiped the Dell Optiplex 7010 (i7 3700, 8GB RAM, Intel Pro 1000PT server NIC) that lives at the edge of my network. Basically I 'made' my own router from scratch using Arch Linux, dnscrypt-proxy, WireGuard, Shorewall and so on. This has been working OK but it's a bit 'hacky' and cobbled together.

I was delighted to see that OPNsense now has a stable release os-wireguard, and from limited testing in a VM it seems OK (it's hard to properly test OPNsense between VMs due to my home network setup). Can anyone please confirm that the above bug has been fixed upstream, and that I should be safe (as anyone can be) to reinstall OPNsense on my router and set up WireGuard on there for one of my LAN subnets? I am to keep my network as follows:

WAN (cable modem, DHCP)
LAN1 > ProSafe switch > (trusted, local devices etc)
LAN2 > ProSafe switch > (DMZ, servers and NAS, WiFi, IoT)
wg0 (routing devices from LAN1)

Thanks in advance.

[NOTE: This thread started as a question, but I solved it myself. Please treat it as a mini-guide on how to get WireGuard working with AzireVPN (or Mullvad etc) while still allowing yourself to access servers on your LAN from outside the network, using poilcy based routing. I hope my half-week of frustration, lack of sleep and grey hairs helps at least one other person.]

NOTE: This thread started as a question, but I solved it myself. Please treat it as a mini-guide on how to get WireGuard working with AzireVPN (or Mullvad etc) while still allowing yourself to access servers on your LAN from outside the network, using poilcy based routing. I hope my half-week of frustration, lack of sleep and grey hairs helps at least one other person.

Thanks to the guide of a fellow forum member on his website Routerperformance, I have the experimental WireGuard plugin installed and working on OPNsense v18.7.

The only issue is, I have a LAN node (TiVO) that must be connected directly to my cable ISP to work properly. I also have another local client (NAS) that hosts Plex, SABnzbd and some other stuff that I'd prefer to either similarly route directly to the ISP WAN, or else have a way to still forward ports using DNAT from WAN IP > NAS along the LAN (i.e. from 192.168.1.1 at the firewall to 192.168.1.5 at the NAS and back).

I did experiment with policy based routing, by assigning the wg0 link to an interface in OPNsense and then assigning a gateway. I changed the LAN firewall rules to:

1. $(Alias for bypass LAN IPs) - any - any - WAN_GW
2. 192.168.0.0/24 - any - any - AzireVPN_GW #Supposedly to route all other LAN traffic via VPN as they wouldn't have matched the first rule

The LAN clients just don't connect now. So I also tried changing outbound NAT (in manual mode) to:

1. WAN_DHCP - $(Alias for bypass LAN IPs) - any - any - WAN_ADDRESS
2. AzireVPN - 192.168.0.0/24 - any - any - AZIRE_TUNNEL_ADDRESS

And still nothing. I'm a bit stuck. I'll be honest I gave up on this once already, and wiped my machine and installed Arch Linux base. I added dnscrypt-proxy for dns, dhcpd for DHCP server, wireguard-tools for VPN and Shorewall to control the netfilter firewall. I assigned zones to WAN, LAN and WireGuard and away I went. I'm typing from it now and it's great... except I similarly am bumping into issues with policy based routing.

I have to choose at present, regardless of whether I'm using Arch or OPNsense, to either (a) have AzireVPN on the router - my preferred option - but have some restrictions on my TiVO and have my NAS be inaccessible from outside the LAN; or (b) have the router without VPN and just connect every individual LAN node to WireGuard, so at least my TiVO and NAS work properly. That's not actually ideal, as some local nodes aren't powerful enough to run a VPN locally without running out of steam (I have a relatively fast linespeed from my ISP).

I assume the reason it's breaking under both OPNsense and Linux is that the wg-quick tools add their own routing which completely cuts off the firewall from the ISP/WAN interface. I remember a few years ago I had IPSec tunnels up instead, and could just selectively route without issues. Incoming WAN packets to my servers (eg Plex on NAS) were hitting the firewall, and getting routed locally from $FW_IP to $NAS_LAN_IP and getting answered that way. So at the time I had the best of both worlds - all LAN clients were safe behind a VPN for all their activities, but I could still access my personal servers when away from home using my ISP's WAN IP or domain name.

Can someone help me work this out? I did try checking the 'disable routes' box on the WireGuard server page, expecting to be able to manually assign routes using the gateway and NAT rules, but the tunnel just never comes up.  :(  All help gratefully appreciated! Thanks in advance.

I have setup OPNsense to run SSH over a non-standard port. Login group is set to wheel and admins. Root login is disabled (box unchecked). However, when I try to SSH into the box as 'user' (who is a member of admins), I am prompted for the password. The password is accepted and the OPNsense logo appears, but followed immediately by a message that I 'must be root to login'. As I said, 'permit root user login' is unchecked, and the root user account is disabled in System > Access > Users!

The only way around this is to enable the root user, and log in via SSH using root. My 'user' is a member of admins, with permissions inherited from admins. What am I missing? It's obviously much less secure to enable the root account for SSH than to log in as 'user' and use sudo.