Suffering from a basic understanding of alias

Started by drifting, May 10, 2021, 04:27:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2021, 04:27:25 PM
Please bear with my, I am partially sighted and managed to read my wayn thorugh the WireGuard install.
However there is one part I am totally confused about, and that is this:-

The final piece is to allow traffic from the WireGuard network. First define an alias (e.g. VPN_clients) and include in it the IP addresses (e.g. 10.10.10.2 and 10.10.10.3) or subnet (e.g. 10.10.10.0/24) of the WireGuard clients from which traffic is to be allowed. Do this via Firewall ‣ Aliases (click + in the bottom right).

When I create and alias, it askes for type? Then content? have tried newtork and then the IP's, but it complains they are wrong. Sorry I know this is very basic, but really frustrated and assuming I read something wrong somewhere?

Kind regards Paul.
May 10, 2021, 09:36:04 PM #1
I have Wireguard working without the use of Alias. And went for the interface solution.
The below websites helped me. I hope they are of any help for you also:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

https://miha-kralj.medium.com/vpn-with-wireguard-on-opnsense-7bc1d7451a6e

https://blog.linuxserver.io/2019/11/16/setting-up-wireguard-on-opnsense-android/

Deciso DEC850v2
May 10, 2021, 10:46:18 PM #2 Last Edit: May 11, 2021, 01:15:50 AM by Greelan
@drifting, if you are looking to include single IPs, use Host(s) as the type, and if you are looking to include a subnet, use Network(s) as the type. You can also put single hosts in Network(s) but have to use CIDR format (/32)

Reading the docs always helps: https://docs.opnsense.org/manual/aliases.html

@RamSense, yes if you define an interface for the wgX device, then you can use the "net" variable that is created for that interface, and don't need to define a separate alias. But defining an interface is optional for a road warrior setup, and if it is not defined it is usually necessary to define an alias rather than using the default "Wireguard net"
May 11, 2021, 07:15:52 PM #3
@Greenlan: thanks for your answer. Can you tell me why is it better to use created " net" for that interface than the default "Wireguard net" ? What is the difference in opnsense?

Deciso DEC850v2
May 11, 2021, 10:28:49 PM #4
Because "Wireguard net" does not work as expected if there are multiple wgX devices and/or multiple endpoints. I don't know why (I haven't been able to find out what is populated in it) but this has tripped up many people. That's why the documentation has been updated
May 12, 2021, 08:06:59 AM #5
thnx! Excellent to know.
Deciso DEC850v2
Print
Go Up Pages1
User actions