Weird connection Problems

[timmuellef]

Hey all,
I'm running into several other pretty weird issues. I've been troubleshooting for a few days now having reinstalled several times and tried everything I could find on this forum or other websites but I made no progress. So I figured I just ask other people who have exponentially more experience than me in networking.

My general objective is to use a Wireguard VPN tunnel to let my vms access the internet and being able to route  incoming requests on the IP of that tunnel to be able to get routed to any machine on my network

I'm now using OPNSense on an old Dell Optiplex 7020 (which should be enough for basic gigabit networking?).
I pretty much am using a completely fresh install with my interfaces set up (lan, wan (my isp) and a vlan on the lan interface for my vms which all should route through the VPN. I exactly followed this https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html guide to set up the wireguard interface and routing my vlan to it.
This setup causes some weird issues on my vms.
- Most of the Internet works and I can google and all but some ips/domains, for example 13.107.213.67:443 (minecraft authentication servers) won't return anything. I've observed using tcpdump that the packets actually get sent and even received but all of my machines still don't receive anything useful like the service down website using curl or just a browser.
- Sometimes it takes a few seconds for the connection speed to "ramp up" until I actually get a connection.
- Some domains just won't resolve  (using 1.0.0.1 through unbound on opnsense) but through another device outside of the Network it works
- If I have an incoming port forward from the vpn interface to any of my vms the packets get successfully routed to my vm and get responded to. But the responses, for some reason, go through my normal wan interface (ISP) instead back to the sender on the VPN interface.

If there is something I need to share additionally please ask and I'll eagerly provide it.

Thank you

[Saarbremer]

Hi,

I am very sorry to inform you that I did not understand your setup at all. You use wireguard from your VMs to access internet and your network. Why? Several locations? Road warrior? What are the endpoints?

Some domains don't resolve with what info - NXDOMAIN? Which domains?

Why is there a port forward, what interfaces do you have on OPNsense, what is their IP config? Rules? DNS blockers involved?

[timmuellef]

Sorry for my bad wording.

I've changed no settings except adding and configuring my interfaces and doing the stuff explained in the docs page.
I want to have the wireguard connection on my router. All the requests from the machines in my vm vlan to the internet should be routed through said wireguard connection.
The domains won't resolve in any browser or using nxlookup in the command line. (No ip returned) Just to clarify these domains work on other devices. 1 example domain would be the one from my vpn provider (www.apiversa.com)
I’m just using unbound without any blockers.
I’m using the VPN primarily to not have my public home ip used for any services that are supposed to be open to the outside.
The port forward is there to expose my game servers which are hosted on one of the vms in the vlan.

If you need any pictures of configuration pages let me know but as said I've only changed the things mentioned.

If I left anything out I’m very sorry. I did not understand what you meant by some keywords.
Thanks for answering!

[Saarbremer]

Hi,

again, I am sorry. The docs do not specify your internal LAN's layout, IP adresses/IF addresses, subnet sizes etc. Furthermore, I cannot see to which segment your hosts are connected. So yes, any additional information IS appreciated.

In general check your unbound for log messages, check if unbound can access root servers, i.e. firewall rules and routes. Check the firewall's live view and routing tables for that.

You can also try to run a packet capture on WAN to identify what unbound is communicating about.

Sorry, just general help,.

[timmuellef]

Hey Sorry for the delay,

The Domain has been fixed by reinstalling and the speed too.

The only two issues im left with are firstly that port forwards replies get sent to my WAN instead of  the VPN where the request originated from.
And secondly 13.107.213.67:443 won't resolve only through OPNSense if it travels through my VPN Gateway (If I use the official wireguard client it connects just fine)
I've attached a tcpdump log which may help.

Because you asked for it:
My Lan is 10.0.0.0/24
My vmLan (VLan 10) is 10.0.1.0/24
My WAN is the default of my ISPs Router : 192.168.178.0/24

[timmuellef]

The Port-Forward Issues seems to be a bug with the reply-to option in the auto-generated Traffic rule not being set correctly because when I created the rule manually and set the reply-to to my VPN Gateway manually it works fine.
I have created a github issues regarding this issue.

[timmuellef]

The Host unreachable problem seems to also be a common pf/opnsense wireguard plugin problem. After further testing I figured that it works perfectly fine on OpenWrt. I will create a Bug report for it.