Topics

1

General Discussion / Wireguard Tunnel Connects but No Internet/DNS Resolution

« on: October 28, 2022, 07:08:33 am »

I have a Wireguard server up and running and multiple clients are able to connect to it and rest of the LAN reliably.
 The clients are not able to reach the internet when connected to the tunnel.  I think it's a failure to get DNS resolutions.

I would like connected clients to be forced to use the UnBound DNS service running on OPNSense.  I've gone through the OPNSense Wireguard documentation and double checked interface names, NAT rules, IP address formatting, DNS Access Control Lists, etc, and I'm just not seeing where I've gone wrong.

Anyone mind taking a look and letting me know if they have some suggestions?

Here's the Wireguard config as a starting point:

Code: [Select]

    <wireguard>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <server version="0.0.2">
        <servers>
          <server uuid="######">
            <enabled>1</enabled>
            <name>WGVPN</name>
            <instance>0</instance>
            <pubkey>######=</pubkey>
            <privkey>######=</privkey>
            <port>######</port>
            <mtu/>
            <dns/>
            <tunneladdress>10.10.2.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>######</peers>
          </server>
        </servers>
      </server>
      <client version="0.0.6">
        <clients>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C1</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.104/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C2</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>######</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C3</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.105</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C4</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.107/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C5</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.110</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>

2

21.7 Legacy Series / Discovery of SMB shares over Wireguard VPN not working.

« on: January 06, 2022, 06:23:22 am »

So, I have a Wireguard VPN setup and somewhat working.

Opnsense, the Unraid server, and other hosts on the LAN will respond to pings, and their webpages are accessible through the tunnel.  Going to smb://10.10.x.y (Unraid server ip address) through the tunnel shows the available SMB shares, and they seem to work and be fairly responsive.

However simply going to "Network" in the file explorer to see available network resources finds nothing, and neither do network drives mapped to locations specified as: smb://hostname.local/sharename.  Ideally access to network resources would work when connected via VPN just as they do when connected on the LAN.

From my research this is likely because network discovery relies on layer 2 broadcasts which can't get through the Wireguard tunnel.  My research hasn't turned up a workaround for this.  Is automatic network resource discovery just not possible through a Wireguard tunnel?  Any clues on this front would be greatly appreciated.

Not sure if this is related but connected clients are also unable to get internet access through the tunnel.  I've gone through the OPNSense Road Warrior and the homenetworkguy.com guides, and double checked everything including that Wireguard is on Unbound's ACL list, but no joy.