"Recent posts
#1
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by Patrick M. Hausen - Today at 02:03:00 PMQuote from: viragomann on Today at 01:58:22 PMEs geht doch um die Tunnel IP.
Stimmt, da hatte ich mich verlesen. Danke.
#2
26.1, 26,4 Series / Re: Is there anywhere to see L...
Last post by pseudonym3k - Today at 02:02:27 PMQuote from: pfry on April 16, 2026, 07:55:49 PMFor the devices themselves, perhaps "Interfaces: Neighbors: Automatic Discovery"?It took a little time, but the camera did show up here. This is what I needed to see, thank you.
#3
26.1, 26,4 Series / Traffic blocked by default den...
Last post by gotenhan - Today at 02:01:36 PMHello everyone
I had a VM running with bhyve on top of bare-metal OPNSense, which was bridged to one of the vlans.
Everything was working smoothly, until I updated from 25.7 series to 26.1.6.
After the upgrade, outgoing connections from the VM (internet or vlan subnet) are blocked by firewall by default deny rule on tap0 interface.
Tap0 is created automatically by bhyve when starting up the vm.
My tunables are set as below, with the intention to set the fw rules on bridge interface (vlan_lab_br) instead of underlying physical (or tap) interfaces.
vlan_lab_br consists of (dynamically added) tap0 and vlan_lab, which is a vlan device with tag 3 created on physical interface igc3.
I have a fw rule on vlan_lab_br to allow traffic between vlan_lab_br_net and vlan_lab_br_net on any protocol and port.
My understanding is that, with pfil_member=0 and pfil_bridge=1 any filtering (including default deny rule) would not happen on member interfaces (tap0 and vlan_lab).
This seemed to work according to my expectations since I set it up 3 weeks ago, while I was still on 25.7.X version - the traffic from vm (tap0) in firewall live view was appearing with interface vlan_lab_br, same as any traffic coming in/out on vlan_lab (igc3).
After upgrade yesterday, the connectivity only works to the vm (I can ssh into the vm), not from it, and the firewall live view shows the traffic on the tap0 interface.
Unfortunately I wasn't smart enough to take a snapshot before the upgrade.
Is this a bug/regression, or my setup was wrong the entire time and worked 'by accident' ?
Interfaces overview
ifconfig output
[code]
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN1_ETH0 (wan)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:87
inet 10.13.32.4 netmask 0xffffe000 broadcast 10.13.63.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN2_ETH1 (opt1)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:88
inet REDACTED.19 netmask 0xffffffe0 broadcast REDACTED.31
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN_ORANGE (opt2)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:89
inet REDACTED.166 netmask 0xfffffffc broadcast REDACTED.167
I had a VM running with bhyve on top of bare-metal OPNSense, which was bridged to one of the vlans.
Everything was working smoothly, until I updated from 25.7 series to 26.1.6.
After the upgrade, outgoing connections from the VM (internet or vlan subnet) are blocked by firewall by default deny rule on tap0 interface.
Tap0 is created automatically by bhyve when starting up the vm.
My tunables are set as below, with the intention to set the fw rules on bridge interface (vlan_lab_br) instead of underlying physical (or tap) interfaces.
vlan_lab_br consists of (dynamically added) tap0 and vlan_lab, which is a vlan device with tag 3 created on physical interface igc3.
I have a fw rule on vlan_lab_br to allow traffic between vlan_lab_br_net and vlan_lab_br_net on any protocol and port.
My understanding is that, with pfil_member=0 and pfil_bridge=1 any filtering (including default deny rule) would not happen on member interfaces (tap0 and vlan_lab).
This seemed to work according to my expectations since I set it up 3 weeks ago, while I was still on 25.7.X version - the traffic from vm (tap0) in firewall live view was appearing with interface vlan_lab_br, same as any traffic coming in/out on vlan_lab (igc3).
After upgrade yesterday, the connectivity only works to the vm (I can ssh into the vm), not from it, and the firewall live view shows the traffic on the tap0 interface.
Unfortunately I wasn't smart enough to take a snapshot before the upgrade.
Is this a bug/regression, or my setup was wrong the entire time and worked 'by accident' ?
Code Select
sysctl -a | grep pfil
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0
Interfaces overview
Code Select
+---------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------+-------------+---------+-------+-------------------+---------------------+-----------------------------------+------------+-----------------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------+----------------------+---------+-----------+------------------+---------+-----------------+----------+---------------+---------------------------------+-----------------------------------------+----------+-----------+----------+--------+---------+-------+---------+---------+-----------------+-----------------+
| flags | capabilities | options | macaddr | supported_media | is_physical | device | mtu | macaddr_hw | media | media_raw | status | nd6 | statistics | routes | config | identifier | description | enabled | link_type | addr4 | addr6 | ipv4 | vlan_tag | gateways | ipv6 | groups | priority | hellotime | fwddelay | maxage | holdcnt | proto | maxaddr | timeout | members | vlan |
+---------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------+-------------+---------+-------+-------------------+---------------------+-----------------------------------+------------+-----------------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------+----------------------+---------+-----------+------------------+---------+-----------------+----------+---------------+---------------------------------+-----------------------------------------+----------+-----------+----------+--------+---------+-------+---------+---------+-----------------+-----------------+
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_magic,netmap,hwstats,mextpg | REDACTED :87 | autoselect,2500Base-T,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP | true | igc0 | 1500 | REDACTED :87 | 1000baseT | Ethernet autoselect (1000baseT ) | up | [object Object] | [object Object] | default,1.0.0.3,10.13.32.0/19 | [object Object] | wan | WAN1_ETH0 | true | static | 10.13.32.4/19 | | [object Object] | null | 10.13.32.1 | | | | | | | | | | | | |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_magic,netmap,hwstats,mextpg | REDACTED :88 | autoselect,2500Base-T,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP | true | igc1 | 1500 | REDACTED :88 | 1000baseT | Ethernet autoselect (1000baseT ) | up | [object Object] | [object Object] | 8.8.8.8,REDACTED /27 | [object Object] | opt1 | WAN2_ETH1 | true | static | REDACTED | | [object Object] | null | REDACTED | | | | | | | | | | | | |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_magic,netmap,hwstats,mextpg | REDACTED :89 | autoselect,2500Base-T,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP | true | igc2 | 1500 | REDACTED :89 | 1000baseT | Ethernet autoselect (1000baseT ) | up | [object Object] | [object Object] | 1.1.1.3,REDACTED /30 | [object Object] | opt2 | WAN_ORANGE | true | static | REDACTED /30 | | [object Object] | null | REDACTED | | | | | | | | | | | | |
| up,broadcast,running,simplex,multicast | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwfilter,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_ucast,wol_mcast,wol_magic,hwstats,mextpg | REDACTED :dc | autoselect | true | ix0 | 1500 | REDACTED :dc | Ethernet autoselect | Ethernet autoselect | no carrier | [object Object] | [object Object] | | [object Object] | opt3 | LAN_SFP1 | true | none | | | | null | | | | | | | | | | | | | |
| up,broadcast,running,simplex,multicast | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwfilter,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_ucast,wol_mcast,wol_magic,hwstats,mextpg | REDACTED :dd | autoselect | true | ix1 | 1500 | REDACTED :dd | Ethernet autoselect | Ethernet autoselect | no carrier | [object Object] | [object Object] | | [object Object] | opt4 | LAN_SFP2 | true | none | | | | null | | | | | | | | | | | | | |
| up,broadcast,running,promisc,simplex,multicast,lower_up | rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,lro,wol_ucast,wol_mcast,wol_magic,vlan_hwtso,netmap,rxcsum_ipv6,txcsum_ipv6,hwstats,mextpg | vlan_mtu,jumbo_mtu,wol_magic,hwstats,mextpg | REDACTED :8a | autoselect,2500Base-T,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP | true | igc3 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | | | | Unassigned Interface | | | | | | | | | | | | | | | | | | | |
| up,loopback,running,multicast,lower_up | rxcsum,txcsum,linkstate,rxcsum_ipv6,txcsum_ipv6 | rxcsum,txcsum,linkstate,rxcsum_ipv6,txcsum_ipv6 | REDACTED :00 | | false | lo0 | 16384 | REDACTED | | | up | [object Object] | [object Object] | 10.13.32.4,REDACTED ,127.0.0.1,172.27.1.1,172.27.2.1,172.27.3.1,172.27.4.1,172.27.252.1,172.27.253.1,172.27.254.1,REDACTED ,::1,fe80::%lo0/64,fe80::1%lo0 | [object Object] | lo0 | Loopback | true | static | 127.0.0.1/8 | ::1/128 | [object Object] | null | | [object Object],[object Object] | lo,funbox_way | | | | | | | | | | |
| | capabilities= | options= | REDACTED :00 | | false | enc0 | 1536 | REDACTED | | | down | [object Object] | [object Object] | | | | Unassigned Interface | | | | | | | | | enc | | | | | | | | | | |
| | capabilities= | options= | REDACTED :00 | | false | pflog0 | 33152 | REDACTED | | | down | | [object Object] | | | | Unassigned Interface | | | | | | | | | pflog | | | | | | | | | | |
| up,running,noarp,multicast,lower_up | linkstate | linkstate | REDACTED :00 | | false | wg0 | 1420 | REDACTED | | | up | [object Object] | [object Object] | 172.27.253.0/24,172.27.253.2,172.27.253.3 | [object Object] | opt6 | wghome | true | none | 172.27.253.1/24 | | [object Object] | null | | | wg,wireguard,funbox_way | | | | | | | | | | |
| up,broadcast,running,simplex,multicast,lower_up | capabilities= | options= | REDACTED :4e | | false | bridge0 | 1500 | REDACTED :4e | | | up | [object Object] | [object Object] | 172.27.3.0/24 | [object Object] | opt15 | vlan_lab_br | true | static | 172.27.3.1/24 | | [object Object] | null | | | bridge,funbox_way,vm-switch,viid-f9664@ | 32768 | 2 | 15 | 20 | 6 | rstp | 2000 | 1200 | [object Object] | |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan01 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | 172.27.1.0/24 | [object Object] | opt8 | vlan_guest | true | static | 172.27.1.1/24 | | [object Object] | 1 | | | vlan,funbox_way | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan010 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | 172.27.252.0/24 | [object Object] | opt12 | vlan_prod | true | static | 172.27.252.1/24 | | [object Object] | 252 | | | vlan | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan02 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | 172.27.254.0/24 | [object Object] | opt9 | vlan_management | true | static | 172.27.254.1/24 | | [object Object] | 254 | | | vlan,funbox_way | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan03 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | 172.27.2.0/24 | [object Object] | opt10 | vlan_home | true | static | 172.27.2.1/24 | | [object Object] | 2 | | | vlan,funbox_way | | | | | | | | | | [object Object] |
| up,broadcast,running,promisc,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan04 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | | [object Object] | opt11 | vlan_lab | true | none | | | | 3 | | | vlan | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan07 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | 172.27.4.0/24 | [object Object] | opt14 | vlan_iot | true | static | 172.27.4.1/24 | | [object Object] | 4 | | | vlan | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan08 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | | [object Object] | opt7 | vlan_cam | false | none | | | | 5 | | | vlan | | | | | | | | | | [object Object] |
| up,broadcast,running,simplex,multicast,lower_up | rxcsum,txcsum,tso4,tso6,lro,rxcsum_ipv6,txcsum_ipv6,mextpg | mextpg | REDACTED :8a | autoselect | false | vlan09 | 1500 | REDACTED :8a | 2500Base-T | Ethernet autoselect (2500Base-T ) | up | [object Object] | [object Object] | | [object Object] | opt5 | lan_old | false | static | | | | 1337 | | | vlan,funbox_way | | | | | | | | | | [object Object] |
| up,broadcast,running,promisc,simplex,multicast,lower_up | rxcsum,lro,linkstate,rxcsum_ipv6,mextpg | linkstate,mextpg | REDACTED :4f | autoselect | false | tap0 | 1500 | REDACTED :4f | Ethernet 1000baseT | Ethernet 1000baseT | up | [object Object] | [object Object] | | | | Unassigned Interface | | | | | | | | | tap,vm-port | | | | | | | | | | |
+---------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------+-------------+---------+-------+-------------------+---------------------+-----------------------------------+------------+-----------------+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------+----------------------+---------+-----------+------------------+---------+-----------------+----------+---------------+---------------------------------+-----------------------------------------+----------+-----------+----------+--------+---------+-------+---------+---------+-----------------+-----------------+
ifconfig output
[code]
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN1_ETH0 (wan)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:87
inet 10.13.32.4 netmask 0xffffe000 broadcast 10.13.63.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN2_ETH1 (opt1)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:88
inet REDACTED.19 netmask 0xffffffe0 broadcast REDACTED.31
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igc2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN_ORANGE (opt2)
options=4902028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NETMAP,HWSTATS,MEXTPG>
ether REDACTED:89
inet REDACTED.166 netmask 0xfffffffc broadcast REDACTED.167
#4
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by viragomann - Today at 01:58:22 PMEs geht doch um die Tunnel IP.
Aber egal, halt mich raus. Ich hab keine Practice in WG...
Aber egal, halt mich raus. Ich hab keine Practice in WG...
#5
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by Patrick M. Hausen - Today at 01:54:35 PMAuf der OPNsense-Seite beim Peer - der ja der "Road Warrior" ist - braucht es nur die eine IP-Adresse aus dem Tunnel-Netzwerk in AllowedIPs. Best practice ...
#6
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by viragomann - Today at 01:53:25 PMQuote from: Patrick M. Hausen on Today at 01:45:30 PMMach da mal 10.10.10.1/32 draus.?
Zitat aus den Docs - Step 1 - Configure the Wireguard Instance:
> Do not use a tunnel address that is a /32 (IPv4) or a /128 (IPv6)
Anm: ist dort auch in fetten Lettern
#7
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by Patrick M. Hausen - Today at 01:45:30 PMQuote from: Alwin on Today at 01:36:25 PMin der WG Instanz lautet die Tunnel Adresse 10.10.10.1/24
War Quatsch - s.u.
#8
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by viragomann - Today at 01:45:01 PMOkay, dann würde ich mir erwarten, dass alle Pakete für 10.20.0.0/16 auch darüber geroutet werden.
Wenn du dir sicher bist, dass es nicht die Firewall am Server selbst ist, die den Zugriff blockiert, mach mal ein Packet Capture (Interfaces > Diagnostic) am Server-Interface, um zu sehen, ob die Pakete Richtung Server korrekt raus gehen und ob dieser auch eine Antwort schickt.
Wenn du dir sicher bist, dass es nicht die Firewall am Server selbst ist, die den Zugriff blockiert, mach mal ein Packet Capture (Interfaces > Diagnostic) am Server-Interface, um zu sehen, ob die Pakete Richtung Server korrekt raus gehen und ob dieser auch eine Antwort schickt.
#9
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by Alwin - Today at 01:36:25 PMgenau so ist es konfiguriert:
in der WG Instanz lautet die Tunnel Adresse 10.10.10.1/24
in der Client Konfig lauten die Allowed IPs 10.10.10.0/24,10.20.0.0/16
in der WG Instanz lautet die Tunnel Adresse 10.10.10.1/24
in der Client Konfig lauten die Allowed IPs 10.10.10.0/24,10.20.0.0/16
#10
German - Deutsch / Re: Problem mit Wireguard VPN ...
Last post by viragomann - Today at 01:30:00 PMQuote from: Alwin on Today at 12:54:33 PMDie Allowed IPs sind, wenn ichdas richtig verstehe, die Adressbereiche, die der WG VPN Client von aussen über die OPNsenseJa, genau. Die Netzwerksegmente, die der Client erreichen können soll.
erreichen soll, richtig ?
Allerdings ist das Subnet 10.20.0.0/16 in der Client-Konfig anzugeben.
Der Server braucht als allowed IP nur die virtuelle Client IP kennen.
