OPNSense doesn´t route vom Interface to Wireguard

Started by Bytechanger, April 26, 2021, 10:17:48 AM

Previous topic - Next topic
Hi,

I set up an Wireguard tunnel.
When I ping from OPNSense with Interface "default" it works fine!

But when I ping from any other Interface (LAN, etc.) it doesn´t work.

Now I add an Interface for wg1. When I ping from wg1-Interface, it works to!

Looking in routes, the subnet is set there.

Why OPNSense route traffic from other Interface to wireguard?
How can I analyze the problem?
I think, in other interfaces there are no blocking rules for wireguard.


Greets

Byte

Here are the results:

Ping source DEFAULT:

# /sbin/ping -S '10.253.254.37' -c '3' '10.253.0.3'
PING 10.253.0.3 (10.253.0.3) from 10.253.254.37: 56 data bytes
64 bytes from 10.253.0.3: icmp_seq=0 ttl=62 time=41.213 ms
64 bytes from 10.253.0.3: icmp_seq=1 ttl=62 time=40.395 ms
64 bytes from 10.253.0.3: icmp_seq=2 ttl=62 time=42.370 ms

--- 10.253.0.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 40.395/41.326/42.370/0.810 ms


Ping source LAN:

# /sbin/ping -S '172.30.90.192' -c '3' '10.253.0.3'
PING 10.253.0.3 (10.253.0.3) from 172.30.90.192: 56 data bytes

--- 10.253.0.3 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


Routes Status

ipv4 default 100.XX.XX.X UGS 858 1500 re0 WAN
[...]
ipv4 10.253.0.0/24 wg1 US 21 1420 wg1 vp1
ipv4 10.253.1.0/24 wg1 US 0 1420 wg1 vp2
ipv4 10.253.3.0/24 wg1 US 0 1420 wg1 vp3
ipv4 10.253.10.0/24 wg1 US 0 1420 wg1 vp4
ipv4 10.253.254.37 link#14 UHS 0 16384 lo0 Loopback
ipv4 10.253.254.37/32 link#14 U 0 1420 wg1 vp



Firewallrules on LAN and Wireguard are PASS on first Position.

So, what is my fault?

Greets

Byte

Installation correct wireguard in opnsense:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

Rules in opnsense:

1 - Firewall - Nat - Outbound:    Hybrid

Add rule: interface: wan      tclp/ip: ipv4   protocol:any    Source adress:wireguard net     Source port: any    Destination:any    traslation: interface adress

2 - Firewall - Rules - WG:  Add rule:

Action: Pass         tcp: ipv4       Protocol: any       Source: WG net        Destination:  any

3 - Firewall - Rules - Wireguard: Add rule:

Action: Pass         tcp: ipv4       Protocol: any       Source: WireGuard net        Destination:  any

April 26, 2021, 03:27:38 PM #3 Last Edit: April 27, 2021, 06:41:29 AM by Bytechanger
Yes,

I want to build a site-to-site vpn, not a road-warrier...

Firewallrules for LAN, Wireguard, WG-Interface   ALL PASS
Outbound NAT for WAN (only if you want to server into internet over vpn)
Generate Interface for wireguard...

You can see, connection runs good, but it seems that OPNSense doesn´t route traffic from other Networks to Wireguard or back ?!

EDIT: Problem is solved, thanks. I create a outbound nat, that was different from the howto and it works now.

Greets

Byte