Wireguard installation

[ursus]

So, I wanted to install WireGuard on my Firewall - read everywhere how simple that is... I followed the instructions here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and it seams as if that is for a different version of WireGuard and/or OPNsense? Setting up the routing shows me two WireGuard sections (I then renamed the interface to VPN and now I have a VPN and a WireGuard section in Rules) - which one do I use?

I would also like to help with the documentation for WireGuard, could somebody point me in the correct direction? Thx

[mimugmail]

If you assign an interface it's named like this in rules. Use this one when you use it. For simple setups you dont need to assign.

[ursus]

If you assign an interface it's named like this in rules. Use this one when you use it. For simple setups you dont need to assign.

I have tried that but cannot get it to work? Here is what I want to do: I have three IP's. I would like to use the first IP for Mail (incl. a web-frontend for mail - I am using a NAT Port Forwarding rule), the second one for a Webserver (1:1 Nat and rules) and the third one (1:1 Nat and Port Forwarding rules) to send all VPN traffic through to the LAN. The reason I want to use port 443 is that some of my customers have blocked "non normal" ports in the guest LAN.

What I want is therefore:

I am at the customer -> I try and connect to my VPN using IP x.x.x.204 and port 443 and want access to everything in 192.168.1.x/24

This is what I have created:

VPN/WireGuard/Local => Port 443 / Tunnel address: 10.10.0.0/24
VPN/WireGuard/Endpoint => Allowed Ip's: 10.10.0.0/24 / Endpoint address: x.x.x.204 / Port: 443
Firewall/NAT/One-to-One => WAN / x.x.x.204/32 => WireGuard net
Firewall/Rules/LAN => Allow all from 10.10.0.0/24
Firewall/Rules/Wireguard => Allow all from 10.10.0.0/24
Firewall/Rules/WAN => Destination: x.x.x.204 / Port: 443

What I am not sure about is:

Do I create a FireWall/NAT/Port forward rule?
How do I set the DHCP server -> without an interface I cannot assign one? Or do I just assign fixed IP's? Is VPN/WireGaurd/Endpoint => Endpoint Address perhaps the fixed 10.10.0.x address?

What am I missing

[mimugmail]

Have you read the docs about central VPN with WireGuard? You dont need 1to1 Nat. In endpoint you dont need a port. At the endpoint device you need to add the local lan. Rest is ok. Why do you need DHCP? You can also use IP/32, makes it clearer

[ursus]

>> Have you read the docs about central VPN with WireGuard?
nope - I'll read up about it -> think this is the link you are referring to: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

>> You dont need 1to1 Nat
ok, but how does the traffic get routed to the correct IP -> I have 3 IP's, all listening to 443? Don't I need to tell the FW that anything coming in port 443 to the 3rd IP is for WireGuard?

>> At the endpoint device you need to add the local lan


>> Why do you need DHCP? You can also use IP/32, makes it clearer
yip - you are correct! I have changed it.