OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Wireguard Selective Routing Instructions - Question
« previous next »
  • Print
Pages: [1]

Author Topic: Wireguard Selective Routing Instructions - Question  (Read 778 times)

Salty72

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Wireguard Selective Routing Instructions - Question
« on: February 18, 2023, 11:16:12 pm »
Hi,
I'm following the wireguard selective routing instructions on the docs.opnsense.org website.
Step 9 has me confused; as in, I would like to understand the purpose of it.

Step 2: Configure local peer instructs the Tunnel Address to be /32. This makes sense in that a specific IP is assigned to the VPN local peer (e.g. 10.0.0.2/32) and routing is disabled (assuming that the firewall rules will take care of it).

Step 2 and 6: Creates a gateway on the VPN subnet. (e.g. 10.0.0.1/32)

I performed all the steps 1-8.
At this point, my opnsense server can ping the gateway (10.0.0.1/32) but cannot ping a remote peer (10.0.0.3/32). A local LAN host can ping the gateway (10.0.0.1/32) and a remote peer (10.0.0.2/32). The remote peer can ping my defined gateway (10.0.01/32) and a host in my LAN (192.168.0.x) but cannot ping my local peer (10.0.0.2/32).

Step 9: Configure routing instructions has me confused.
It states that all outbound packets originating from the VPN address (10.0.0.2/32) with an destination of the VPN network should be directed to the VPN gateway (e.g. 10.0.0.1/32).

Couple of questions:
1. Where did we define the VPN network being used in Step 9? Since we specified the VPN local peer in step 2 to be 10.0.0.2/32 and the interface picks up the IP and subnet from the VPN local peer, wouldn't the VPN network be 10.0.0.2/32?
If yes, why are routing a packet from 10.0.0.2/32 to 10.0.0.2/32 to a gateway in the VPN tunnel?
If no (and the VPN network is identified correctly e.g 10.0.0.2/24), is this rule for allowing the firewall and NAT'd clients to access the VPN?

Adding the routing rule in step 9 did not make a difference to my ping issues prior to step 9.

2.  Assuming that I'm not performing NAT (other peers can route packets for my subnet back through the VPN tunnel), I would not create a NAT rule (step 10). Does step 9 provide any purpose/value if I'm not creating the NAT rule (step 10)?

Thanks,
Logged

Greelan

  • Hero Member
  • *****
  • Posts: 1028
  • Karma: 72
    • View Profile
Wireguard Selective Routing Instructions - Question
« Reply #1 on: February 18, 2023, 11:54:50 pm »
Step 9 has the destination inverted, so it behaves differently to what you describe.

Basically it’s replicating the force gateway rule for WAN, to ensure that packets coming from the WG interface IP go out the right gateway. See this (lengthy) discussion: https://github.com/opnsense/core/issues/5329.

Should really only be an issue for services on OPNsense itself that are intended to use the tunnel (eg unbound in the issue linked above).
« Last Edit: February 19, 2023, 02:21:25 am by Greelan »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • Wireguard Selective Routing Instructions - Question
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2