Is routing with wireguard different than openvpn?

Started by Bytechanger, November 14, 2019, 11:42:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 14, 2019, 11:42:42 AM Last Edit: November 14, 2019, 11:51:34 AM by Bytechanger
Hi,

I´m using OPNsense with wiregard and openvpn server.

When I route traffic over openvpn to my home-network, mynetwork behaves as if I were at home.
But when I route over wireguard, the devices behaves, as if I came from external.

So over wireguard my FritzBox show me extern Loginsite (Username and password).
Over OpenVPN FritzBox shows me intern loginsite (password).

Where is my fault, where is the difference?

EDIT: FritzBox is a client in my network, only for VoiceOverIP.

Greets

Byte
November 14, 2019, 07:25:15 PM #1
Some Nat issue?
November 15, 2019, 01:17:02 PM #2
Hi,

what do you mean?
What can I check?

Greets

Byte
November 17, 2019, 02:34:51 PM #3
I´ve OPNSense directly connected to an Vigor Modem (no double nat).
No special in Firewall->NAT->Outbound.

Where can I check other information, that can be wrong?

Greets

Byte
November 17, 2019, 03:59:13 PM #4
Packet capture on the interface and check the source IP, maybe the packets getting natted
November 18, 2019, 01:27:40 PM #5 Last Edit: November 18, 2019, 01:33:15 PM by Bytechanger
Thanks,

but in standard, for wireguard, there is no interface in interfaces.
In firewall->rules there is wireguard, but not in interfaces.
So in Diagnostics->Packet Capture there is no interface to choose for wireguard?!

When I manualy assign wg0 to new interface, in Firewall-Rules there are 2 Entries for Wireguard...


When I manually set new interface and try to connect, it doesn´t work, but packet capture shows following:
13:29:22.395435 IP 100.64.0.110.56423 > 172.30.90.222.80: tcp 0

So I think there is no nat. 100.64.0.110 is my wireguard ip, 172.30.90.222 the fritzbox.


Greets

Byte
November 18, 2019, 05:02:58 PM #6
So, that packet should be natted that source is within range of Fritzbox.
I'd guess you have a outbound rule and the source doesn't match your wireguard IP.
November 18, 2019, 09:12:41 PM #7 Last Edit: November 18, 2019, 09:29:51 PM by Bytechanger
Ok, what I have to do?

Set outbound

Interface: wireguard
Source: wireguard net
NAT adress: LAN address ????


But no change...



Edit:
Interface: lan
Source: wireguard net
NAT adress: LAN address

Seems to work....

Is this ok or is this setting a secure problem?


Greets Byte

November 19, 2019, 05:23:47 AM #8
No, it's fine :)
Print
Go Up Pages1
User actions