1
General Discussion / Re: Wireguard Tunnel Connects but No Internet/DNS Resolution
« on: November 10, 2022, 10:56:15 pm »
Did you add DNS: <ip address> to the [Interface] of your client tunnels?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
3
20.1 Legacy Series / Wireguard
« on: March 10, 2020, 06:41:21 pm »
Hi!
I've read somewhere that wireguard in 19.7 won't allow you to add a Gateway with "dynamic" in the ip address. Will it work in 20.x?
Trying to setup a firewall rule to force a client through a wireguard connection, and not having much luck so far since there's no way to add a gateway to be used in firewall rules, unless there's another way?
Thanks for any help.
I've read somewhere that wireguard in 19.7 won't allow you to add a Gateway with "dynamic" in the ip address. Will it work in 20.x?
Trying to setup a firewall rule to force a client through a wireguard connection, and not having much luck so far since there's no way to add a gateway to be used in firewall rules, unless there's another way?
Thanks for any help.
4
20.1 Legacy Series / Re: Wireguard Clients Disconnected
« on: January 31, 2020, 06:12:25 pm »
Once again -- Thanks for your reply.
You didn't answer the question though, which side do you want screenshots of?
You didn't answer the question though, which side do you want screenshots of?
5
20.1 Legacy Series / Re: Wireguard Clients Disconnected
« on: January 31, 2020, 04:42:17 pm »
Are you asking for screenshots of the server or the remote sites?
The server works fine, and some of the remote sites reconnect just dandy, however, some of the remote sites never reconnect until we hit save.
The server works fine, and some of the remote sites reconnect just dandy, however, some of the remote sites never reconnect until we hit save.
6
20.1 Legacy Series / Re: Wireguard Clients Disconnected
« on: January 31, 2020, 03:18:27 pm »
All endpoints have a unique /32, and then also another network associated with them (/24, /16, etc.)
7
20.1 Legacy Series / Wireguard Clients Disconnected
« on: January 31, 2020, 02:53:51 pm »
Hello!
This might not be the right place for this, but I don't know a better place.
Using Wireguard on opnsense at remote sites, and a main server with a static.
When we add a new peer into the main server, some of the remote sites don't automatically reconnect. We have to go into the remote sites, and hit save inside the wireguard interface to get them to reconnect.
Is this a bug or misconfiguration?
Thank you for your assistance!
This might not be the right place for this, but I don't know a better place.
Using Wireguard on opnsense at remote sites, and a main server with a static.
When we add a new peer into the main server, some of the remote sites don't automatically reconnect. We have to go into the remote sites, and hit save inside the wireguard interface to get them to reconnect.
Is this a bug or misconfiguration?
Thank you for your assistance!
8
19.7 Legacy Series / Re: IPSec Tunnel Established but no routes
« on: November 13, 2019, 02:31:55 pm »
Sure.
Phase 1 is the outside ip address for me and outside ip address of the peer. It's followed by the encryption settings for the tunnel. Phase 1 completes.
Phase 2 is
Local Subnet: LAN
Remote Subnet: 10.200.1.0/16
Encryption settings match the connection I'm trying to establish. Phase 2 completes.
I can ping from the remote site to the local LAN address. I see it's traffic in opnsense on enc0 using tcpdump.
If I delete the route (route del 10.200.0.0/16), I can then ping through the tunnel to the remote site, but only from the opnsense. I cannot ping through this tunnel from anything behind it.
Alternatively, I can ping from the remote site through the tunnel to the LAN address and anything on it, but when it replies, the reply gets to this OPNSense where IPSec is terminated, and then stops. It never goes through the tunnel according to TCPDUMP.
I thought (following most guides), that I'd be able to setup an interface under Interface Assignments and then add a GW, so that I could add a route. (Remember: the route gets put in place 10.200.0.0/16, but it's assigned to the outside internet connection vtnet, not ipsec.)
As far as I can tell, it's a bug. I found another post where someone said they could get to the interface for IPSec if they goto interfaces.php?if=enc0, and I can also, but changing it's name and/or settings makes no difference. It still does not show up in any interfaces.
At a loss on what to do next. :-)
Thanks to anyone who could comment and assist.
Phase 1 is the outside ip address for me and outside ip address of the peer. It's followed by the encryption settings for the tunnel. Phase 1 completes.
Phase 2 is
Local Subnet: LAN
Remote Subnet: 10.200.1.0/16
Encryption settings match the connection I'm trying to establish. Phase 2 completes.
I can ping from the remote site to the local LAN address. I see it's traffic in opnsense on enc0 using tcpdump.
If I delete the route (route del 10.200.0.0/16), I can then ping through the tunnel to the remote site, but only from the opnsense. I cannot ping through this tunnel from anything behind it.
Alternatively, I can ping from the remote site through the tunnel to the LAN address and anything on it, but when it replies, the reply gets to this OPNSense where IPSec is terminated, and then stops. It never goes through the tunnel according to TCPDUMP.
I thought (following most guides), that I'd be able to setup an interface under Interface Assignments and then add a GW, so that I could add a route. (Remember: the route gets put in place 10.200.0.0/16, but it's assigned to the outside internet connection vtnet, not ipsec.)
As far as I can tell, it's a bug. I found another post where someone said they could get to the interface for IPSec if they goto interfaces.php?if=enc0, and I can also, but changing it's name and/or settings makes no difference. It still does not show up in any interfaces.
At a loss on what to do next. :-)
Thanks to anyone who could comment and assist.
9
19.7 Legacy Series / IPSec Tunnel Established but no routes
« on: November 12, 2019, 10:35:53 pm »
I have an IPSec setup which is established. The routes necessary for it aren't put in place correctly. It keeps adding them when the tunnel comes up, but assigning them to the WAN interface.
I can delete the route (which allows the opnsense itself to ping through the tunnel), but nothing behind it works.
Is this a bug? Most documentation says to add a gateway selecting the IPSEC interface, but I can't find it.
Jeff
I can delete the route (which allows the opnsense itself to ping through the tunnel), but nothing behind it works.
Is this a bug? Most documentation says to add a gateway selecting the IPSEC interface, but I can't find it.
Jeff
10
19.7 Legacy Series / Re: NAT Rules relating to Wireguard Interfaces
« on: August 27, 2019, 02:31:22 pm »
I did assign an interface, but deleted it thinking it was unnecessary, and it honestly is unnecessary once it's setup.
I did figure out my problem though, I assigned the client address so far away from the tunnel address, I had my NAT rule incorrect.
I changed the ip address of the client to fall in line with the subnet I chose, and it works just fine now.
:-)
I did figure out my problem though, I assigned the client address so far away from the tunnel address, I had my NAT rule incorrect.
I changed the ip address of the client to fall in line with the subnet I chose, and it works just fine now.
:-)
11
19.7 Legacy Series / NAT Rules relating to Wireguard Interfaces
« on: August 26, 2019, 04:44:58 pm »
Hi!
I've setup wireguard with two clients, one being 172.20.1.1. I put in some NAT rules to allow this client out to the internet, however, the traffic is going out the WAN interface without being NAT'd first.
--
10:40:54.680981 IP 10.20.1.1.37352 > 8.8.8.8.53: 10996+ A? audio-sv5-t1-1-v4v6.pandora.com. (49)
10:40:54.681100 IP 10.20.1.1.45138 > 8.8.8.8.53: 28973+ A? android-tuner.pandora.com. (43)
10:40:54.681178 IP 10.20.1.1.42111 > 8.8.8.8.53: 12703+ A? clients4.google.com. (37)
10:40:54.681264 IP 10.20.1.1.42743 > 8.8.8.8.53: 18097+ A? clients4.google.com. (37)
10:40:54.681343 IP 10.20.1.1.5269 > 8.8.8.8.53: 1405+ A? clients4.google.com. (37)
10:40:54.681747 IP 10.20.1.1.32947 > 8.8.8.8.53: 60937+ A? clients4.google.com. (37)
10:40:55.011681 IP 10.20.1.1.47250 > 8.8.8.8.53: 25109+ A? sirocco.accuweather.com. (41)
--
I've tried moving the rule, changing the ip address, etc. to no change.
Any help would be appreciated :-)
Jeff
I've setup wireguard with two clients, one being 172.20.1.1. I put in some NAT rules to allow this client out to the internet, however, the traffic is going out the WAN interface without being NAT'd first.
--
10:40:54.680981 IP 10.20.1.1.37352 > 8.8.8.8.53: 10996+ A? audio-sv5-t1-1-v4v6.pandora.com. (49)
10:40:54.681100 IP 10.20.1.1.45138 > 8.8.8.8.53: 28973+ A? android-tuner.pandora.com. (43)
10:40:54.681178 IP 10.20.1.1.42111 > 8.8.8.8.53: 12703+ A? clients4.google.com. (37)
10:40:54.681264 IP 10.20.1.1.42743 > 8.8.8.8.53: 18097+ A? clients4.google.com. (37)
10:40:54.681343 IP 10.20.1.1.5269 > 8.8.8.8.53: 1405+ A? clients4.google.com. (37)
10:40:54.681747 IP 10.20.1.1.32947 > 8.8.8.8.53: 60937+ A? clients4.google.com. (37)
10:40:55.011681 IP 10.20.1.1.47250 > 8.8.8.8.53: 25109+ A? sirocco.accuweather.com. (41)
--
I've tried moving the rule, changing the ip address, etc. to no change.
Any help would be appreciated :-)
Jeff
12
19.1 Legacy Series / OpenVPN Export Options
« on: March 07, 2019, 07:37:30 pm »
What happened to all the openvpn export options?
How do I make a mobile config from the files presented? :-/
How do I make a mobile config from the files presented? :-/
13
18.7 Legacy Series / Re: Multi-WAN not routing incoming packets back whence they came properly
« on: October 31, 2018, 07:55:01 pm »
Go into each interface, and at the bottom where you can select a gateway, select the correct gateway.
Also, check out Firewall -> Settings -> Advanced and check Sticky Connections under Multi-WAN :-D
Also, check out Firewall -> Settings -> Advanced and check Sticky Connections under Multi-WAN :-D
14
18.7 Legacy Series / LAN Carp with two different WAN providers, OPENVPN clients and redundancy
« on: October 18, 2018, 04:32:56 pm »
so I'm trying to use CARP on a LAN to keep clients able to access the internet through 1 of 2 opnsense gateways.
One is connected via traditional methods, other uses a 4G router.
I want the LAN to have a CARP address on it, so clients in the LAN can always hit the internet. These two devices would be physically seperate locations (sometimes seperated by radios) and using VLANs to do a WAN carp on the two devices wouldn't work out very well.
Both of these devices connect back to the main office, where they each receive an ip address respective of their COMMON NAME.
The questions are as follows:
1) Can I set this up where the two boxes will change between slave and master based upon WAN status. Doesn't appear so.
2) How can I set up the 'iroute's at the main office so that it'll fail over or should I go with openvpn tap and use OSPF across it?
3) Any other suggestions?
One is connected via traditional methods, other uses a 4G router.
I want the LAN to have a CARP address on it, so clients in the LAN can always hit the internet. These two devices would be physically seperate locations (sometimes seperated by radios) and using VLANs to do a WAN carp on the two devices wouldn't work out very well.
Both of these devices connect back to the main office, where they each receive an ip address respective of their COMMON NAME.
The questions are as follows:
1) Can I set this up where the two boxes will change between slave and master based upon WAN status. Doesn't appear so.
2) How can I set up the 'iroute's at the main office so that it'll fail over or should I go with openvpn tap and use OSPF across it?
3) Any other suggestions?
Pages: [1]