Topics

1

Virtual private networks / Wireguard maxing out at 120Mbs

« on: July 04, 2023, 02:13:11 pm »

Hi all
I have just upgraded to a fibre connection which is 1Gbit. If i connect directly with my laptop and Mullvad wireguard i get speeds about 5% slower than than the native connection.
On my my APU4 PCEngine with opnsense I get max 120Mbps.
I have tried changing MTU and simplifying the routing tables. No changes and unlikely to be the issue as my fibre connection doesnt use PPPoE.

Any ideas how I can get my opnsense box to achieve the same speeds? It is the latest version with the kmod as default. The cpu is also not even 10/15% when doing the speed test

2

Virtual private networks / Wireguard Selective Routing - Why Step 9?

« on: January 26, 2023, 08:58:20 am »

Hi,
I have setup my wireguard to connect to mullvad and route all LAN traffic through it.
My original setup was a little different to the guide for selective routing to an external vpn in the opnsense wiki.

As it was the only wireguard connection I didn’t have ‘disable routes’ enabled. This way I just had:
1. an interface assigned to wg0
2. A gateway for the interface GWwg0
3. A Nat outbound rule for wireguard interface set to take a LAN traffic out GWwg0

This worked great as i didn’t have to set a specific outbound firewall rule for the LAN interface. It just took all traffic to the default gateway. This was GWwg0 when it was up, but if it failed it just went out the wan interface (something i’m happy with, not concerned with leakage).

Now if you have 2 wireguard instances, they don’t seem to work unless one of the instances has ‘disable routes’  as per the wiki instructions. You then setup the routing in the firewall rules, manually set the gateway address in the wireguard local peer, and also set the gateway monitor ip in the gateway. All things you understandably don’t have to do if ‘disable routes’ is unchecked.
In this instance you have to use gateway groups (and set a lan interface rule to use the grouped gateway) in order to get failover. You also need to add an extra rule which uses the default * gateway for any LAN addresses which sits above the other rule, otherwise you can get locked out of the GUI (weird because the floating anti lockout rule should stop this, but it doesn’t seem to.)

Anyway, one of the setups it asks for is adding this floating rule https://wiki.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-9-configure-routing

What is the point of this? If i disable it, everything still works fine.

Am i missing something, it seems like a rather strange floating rule

3

22.7 Legacy Series / Update fails with error in certs.inc line 33

« on: September 05, 2022, 02:02:54 am »

Hello,
My upgrade has failed and the console stops with an error saying

Uncaught error "oscp_revoked_status_nostatus" in /usr/local/etc/inc/certs.inc line 33

Can anyone help resolve this without having to do a reinstall and restore?

4

22.1 Legacy Series / Wireguard with two local instances

« on: August 31, 2022, 07:33:31 am »

Hello,
I have wireguard successfully setup to connect to my VPN in a site to site config. It is wg0
I am also trying to add a roadwarrior style setup under a second local instance assigned to wg1.

I cannot get it to work at all unless I disable the first wg0 instance. The handshake happens (i can see my client ip in the list configuration) but it doesn’t complete properly and no data is sent.

As soon as I disable the site to site wireguard instance it works perfectly.

I have the interfaces setup separately with seperate firewall rules etc.

Can anyone assist me with this?’

Cheers

Edit Ok after further research it is because you cannot have the ‘Allowed IPs’ fields overlapping between endpoints. The Site to Site uses 0.0.0.0/0 which captures the local subnet assigned to each road warrior. I am guessing I need to edit the Site to Site Allowed IPs to exclude the RW Allowed IPs.