Topics

1

Tutorials and FAQs / [Blog] I migrated the popular "pfSense baseline guide" to OPNsense

« on: November 18, 2021, 12:19:57 am »

Over the past few weeks, I created the OPNsense Baseline Guide with Mullvad VPN, Guest, and VLAN Support. It's a beginner-friendly, comprehensive step-by-step guide that replicates the popular pfSense baseline guide setup that many of you might know.

I skip over hardware selection and installation instructions as I was fortunate enough to be able to support Deciso's open-source mission by buying the DEC630 like a year ago. The only thing I regret about the purchase is that I now can't afford the sexier-looking successor model, the DEC690. 

The guide covers the following topics:

• ISP and WireGuard Mullvad VPN WAN
• "Clearnet", VPN, and Guest VLAN configuration
• Simultaneous use of DNS resolver (Unbound) and forwarder (Dnsmasq) to satisfy the requirements of VLANs

I revised this guide many times as I configured and learned about the OPNsense platform. I probably clean installed my appliance more than 20 times. Publishing this guide has been on my agenda for a like a year and I'm really happy to share it with you. Any feedback is greatly appreciated and I hope you like it.

The only issue I'm having is that I can't get WireGuard multi-WAN to work. Someone commented that `wireguard-kmod` makes it possible, so I'm gonna give this a try soon.

2

Virtual private networks / Is anybody successfully using WireGuard with multi-WAN / GW grp. load balancing?

« on: November 14, 2021, 06:47:16 pm »

I successfully setup selective routing with WireGuard over one tunnel as per the tutorial from the docs for outbound internet traffic. I setup multiple tunnels and as long as I'm using only one tunnel / gateway, everything works fine. As soon as I use a gateway group to load balance traffic over all the tunnels, things stop working properly.

The docs mention this:

When assigning interfaces we can also add gateways to them. This would offer you the chance to balance traffic via different VPN providers or do more complex routing scenarios.

... and this:

When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple tunnels is required or in more complex routing scenarios. To do this, go to System ‣ Gateways ‣ Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic. These scenarios are otherwise beyond the scope of this how-to

Does anyone have a link on where I can read up on the topic "beyond this how-to"? Can anyone shed some light on what the Dynamic gateway policy would do here?

In this post it's mentioned that:

But true HA / LB is not possible with WG (yet...). So all connection states will be dropped when having a failover-event.

Can anyone confirm this? Does anybody have a working multi-tunnel load balance configuration?

3

Virtual private networks / Force Unbound (resolver) to use a WG tunnel and not default route

« on: October 30, 2021, 12:59:03 am »

I use Unbound as a resolver and want to force Unbound to use the WireGuard VPN tunnel I configured but just can't figure out what's wrong. At this point I suspect it has to do with NAT or (floating) firewall rules I don't understand.

For reproduction, I factory reset OPNsense and started over leaving everything at defaults.

Next, I followed the WireGuard Selective Routing to External VPN Provider guide from the docs, and WireGuard is handshaking. The only thing missing is fixing the DNS leak, as mentioned in the guide. I want to implement option 1):

Force the local DNS server to use the tunnel as well. [...] For OPNsense itself, configure the DNS server to use the tunnel gateway.

I think this is the setting under Services > Unbound DNS > General > Outgoing Network Interfaces? I selected the WAN_VPN interface I created. I also blocked all IPv6 traffic by unchecking Firewall > Advanced > Allow IPv6. I rebooted and checked the DNS leak, and it's still  there.

I created a firewall live log filter to check DNS root server requests: dst=<any root dns server>. It turns out that DNS traffic leaves through the WAN gateway due to the let out anything from firewall host itself (force gw) rule. So to get rid of this rule, I check Disable force gateway under Firewall > Settings > Advanced. But the traffic still leaves through the WAN interface (let out anything from firewall host itself rule).

I also tried to uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN under System > Settings > General, but I this doesn't affect Unbound in resolver mode because it looks up root servers.

Switching from Hybrid outbound NAT rule generation to Manual is when everything stops working because the only NAT rule I have is the selective routing through the tunnel from one host.

To fix this, I just change the alias I created for selective routing from containing just a single host to the entire LAN network (192.168.1.1/24). I tested that all hosts are NATed through the VPN tunnel with traceroute, and indeed, everything hops through the tunnel. But DNS resolution is broken:

Code: [Select]

# works
tracepath -n 8.8.8.8
# doesn't work
tracepath 8.8.8.8

Looking at the generated rules when in hybrid mode, I can see that 127.0.0.0/8 and Loopback networks are NATed to WAN. What's the difference between those two networks anyway? Aren't 127.0.0.0/8 loopback networks? Anyway, adding 127.0.0.1/8 to the selective routing alias didn't work.

System > Routes > Status displays

Code: [Select]

Proto Destination Gateway        Flags   Use     MTU    Netif    Netif (name)
ipv4  default     <ISP WAN IP>   UGS     11793   1500 igb1     wan

I don't know how to proceed or what to debug. Any help is greatly appreciated.