OPNSense doesn´t route vom Interface to Wireguard

Started by Bytechanger, April 26, 2021, 10:17:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 26, 2021, 10:17:48 AM
Hi,

I set up an Wireguard tunnel.
When I ping from OPNSense with Interface "default" it works fine!

But when I ping from any other Interface (LAN, etc.) it doesn´t work.

Now I add an Interface for wg1. When I ping from wg1-Interface, it works to!

Looking in routes, the subnet is set there.

Why OPNSense route traffic from other Interface to wireguard?
How can I analyze the problem?
I think, in other interfaces there are no blocking rules for wireguard.


Greets

Byte
April 26, 2021, 01:14:07 PM #1
Here are the results:

Ping source DEFAULT:
Code Select

# /sbin/ping -S '10.253.254.37' -c '3' '10.253.0.3'
PING 10.253.0.3 (10.253.0.3) from 10.253.254.37: 56 data bytes
64 bytes from 10.253.0.3: icmp_seq=0 ttl=62 time=41.213 ms
64 bytes from 10.253.0.3: icmp_seq=1 ttl=62 time=40.395 ms
64 bytes from 10.253.0.3: icmp_seq=2 ttl=62 time=42.370 ms

--- 10.253.0.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 40.395/41.326/42.370/0.810 ms


Ping source LAN:
Code Select

# /sbin/ping -S '172.30.90.192' -c '3' '10.253.0.3'
PING 10.253.0.3 (10.253.0.3) from 172.30.90.192: 56 data bytes

--- 10.253.0.3 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


Routes Status
Code Select

ipv4 default 100.XX.XX.X UGS 858 1500 re0 WAN
[...]
ipv4 10.253.0.0/24 wg1 US 21 1420 wg1 vp1
ipv4 10.253.1.0/24 wg1 US 0 1420 wg1 vp2
ipv4 10.253.3.0/24 wg1 US 0 1420 wg1 vp3
ipv4 10.253.10.0/24 wg1 US 0 1420 wg1 vp4
ipv4 10.253.254.37 link#14 UHS 0 16384 lo0 Loopback
ipv4 10.253.254.37/32 link#14 U 0 1420 wg1 vp



Firewallrules on LAN and Wireguard are PASS on first Position.

So, what is my fault?

Greets

Byte
April 26, 2021, 02:49:12 PM #2
Installation correct wireguard in opnsense:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

Rules in opnsense:

1 - Firewall - Nat - Outbound:    Hybrid

Add rule: interface: wan      tclp/ip: ipv4   protocol:any    Source adress:wireguard net     Source port: any    Destination:any    traslation: interface adress

2 - Firewall - Rules - WG:  Add rule:

Action: Pass         tcp: ipv4       Protocol: any       Source: WG net        Destination:  any

3 - Firewall - Rules - Wireguard: Add rule:

Action: Pass         tcp: ipv4       Protocol: any       Source: WireGuard net        Destination:  any
April 26, 2021, 03:27:38 PM #3 Last Edit: April 27, 2021, 06:41:29 AM by Bytechanger
Yes,

I want to build a site-to-site vpn, not a road-warrier...

Firewallrules for LAN, Wireguard, WG-Interface   ALL PASS
Outbound NAT for WAN (only if you want to server into internet over vpn)
Generate Interface for wireguard...

You can see, connection runs good, but it seems that OPNSense doesn´t route traffic from other Networks to Wireguard or back ?!

EDIT: Problem is solved, thanks. I create a outbound nat, that was different from the howto and it works now.

Greets

Byte
Print
Go Up Pages1
User actions