Selective routing to VPN (Wireguard)

[Harald]

Hi
I'm trying to do pretty much same thing as described here:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Started earlier, but trying to troubleshoot using manual above. Got peer connected, can see handshake etc. with VPN provider, no problem.
Now the tricky bit:
Got local IP address from provider. ("Tunnel Address" in step 2 above) In previous manuals I have seen, there was no setting for the "Gateway" in step 2.
So I have changed everything according to manual, but no difference.

Only bigger difference in my config is Step 8 - in my case I have an alias with IP address of hosts with traffic should be routed through VPN, but this should not be a problem

Once firewall rule activated, on host redirected to VPN i'm getting https errors: NET:ERR_CERT_AUTHORITY_INVALID

Problem is for sure related to gateway, as I have done simple test - added another physical router in the same LAN network as 2nd gateway. Using this IP as gateway in Step 8 works just fine. Once changed back to wireguard IP breaks it again.

Results I'm getting:
wireguard gateway as tunnel address less 1 - no traffic, timeout
wireguard gateway as tunnel address - https errors


Not sure where I should go now

EDIT:
I guess this may be reason why it's not working, just don't know how to fix it.

Basically it shows outbound-natting local ip to tunnel address, but then...

Code: [Select]

all tcp 10.XXX.XX.XXX:49927 (192.XXX.XX.XXX:49927) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49933 (192.XXX.XX.XXX:49933) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49926 (192.XXX.XX.XXX:49926) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49928 (192.XXX.XX.XXX:49928) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49929 (192.XXX.XX.XXX:49929) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49932 (192.XXX.XX.XXX:49932) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49924 (192.XXX.XX.XXX:49924) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49925 (192.XXX.XX.XXX:49925) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49930 (192.XXX.XX.XXX:49930) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED
all tcp 10.XXX.XX.XXX:49931 (192.XXX.XX.XXX:49931) -> XXX.XXX.XXX.XXX:443 SYN_SENT:CLOSED


[Greelan]

Show the contents of your FW rule and outbound NAT rule?

[Harald]

Outbound NAT
Interface WG_OUT
Source LAN/any -> interface address

Rules as per manual
Source
IPv4/[ip to be routed via VPN] alias
-> gateway.

And again - results depending of gateway settings. If I set gateway to local IP of WG tunnel, it appears to be working, but shows https errors.
If I set up gateway IP according to manual (tunnel IP less 1) or any other IP - doesn't work at all. This IP is not accessible, looks like it's error in manual.
Tunnel ip is live, answers pings etc. just not able to route traffic through

[Greelan]

It’s not helpful to only get partial info, but my guess is that you still have destination invert checked in the FW rule? That should be unchecked in your use case - ie you are defining only certain IPs that should go through the tunnel, not certain IPs that should not

Edit: this is assuming that you are trying to specify endpoint IPs as being the only IPs to go through the tunnel, rather than source IPs. Otherwise if you are trying to limit by source IPs the manual page deals with your use case without changes being needed

[Harald]

I have done it again, now strictly according to manual
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Gateway IP is - as per manual - tunnel IP less one (I have learned that using exact tunnel IP as gateway IP redirects traffic to router, not VPN). Client IP traffic should be routed through VPN, but has no internet whatsoever.

My concern is when gateway monitoring enabled it shows OFFLINE for some reason, regardless Wireguard showing UP and proper handshake

[Greelan]

Sorry, friend, but without seeing screenshots I can’t help you. The manual guide works (I wrote it and have it currently running, and can send a single LAN host down the tunnel)

[Greelan]

Deleted

[Harald]

I was trying to add screenshots but forum wasn't displaying it.

Will try again:

[Greelan]

Couple of obvious things:
- Allowed IPs are wrong on the Endpoint. Should be 0.0.0.0/0
- You have disabled gateway monitoring on the gateway, which is probably why it shows offline

You haven’t shown any outbound NAT rule

Also a suggestion that I haven’t got around to updating the docs for - instead of 1.1.1.1 as the monitor IP, put in the tunnel IP on your VPN provider’s end. Whatever you put as the monitor IP will have a static route created for it, and will only be accessible via the tunnel, meaning any other hosts on your LAN won’t be able to access it

[Harald]

Ok, after days of trying to figure out what is the problem it was a little bit messy, so I have to do it again from scratch, but "allowed IPs" in Endpoint configuration was source of my problems.
Thank you for spotting it.