We don't have any guide / official support for OPNsense neither do we do any testing on it.You can read this:https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.htmlBest regards,
I got it setup now to where the whole network still can connect to the internet, but the firewall itself still goes through my real IP - but it has internet now. I wanted to share the routes comparison of "disable routes" being checked, vs when it's not. When leaving "Disable routes" unchecked (default), my connectivity breaks. Here are the routes that get generated from this:default [GATEWAY IP] UGS igb00.0.0.0/1 link#14 US wg1[PRIV_VPN_IP] link#14 UH lo0[REAL_HOMEIP] link#1 UHS lo0localhost link#6 UH lo0128.0.0.0/1 link#14 US wg1192.168.0.0/28 link#9 U bridge0[FW_HOSTNAME] link#9 UHS lo0where "GATEWAY IP" is my ISP's gateway ip address. When checking "Disable Routes" and setting the Gateway IP to "10.64.0.1", I get this:default [GATEWAY IP] UGS igb010.64.0.1 link#14 UHS wg1[PRIV_VPN_IP] link#14 UH lo0[REAL_HOMEIP] link#1 UHS lo0[REAL_HOMESUB]/24 link#1 U igb0localhost link#6 UH lo0192.168.0.0/28 link#9 U bridge0[FW_HOSTNAME] link#9 UHS lo0The diff on these is (- not working, + working):- 0.0.0.0/1 link#14 US wg1- 128.0.0.0/1 link#14 US wg1+ 10.64.0.1 link#14 UHS wg1+ [REAL_HOMESUB]/24 link#1 U igb0Note, that I _cannot_ use 100.64.0.3 as the DNS server... I *have* to do 10.64.0.1 - I'm guessing this is because my firewall is not going through the VPN tunnel? Not entirely sure, but I've basically minimized my settings to the above. I also now have the following 2 firewall rules on the LAN interface:Direction: in | Protocol: any | Source: LAN Net | Destination: LAN Net over any | Gateway: defaultDirection: in | Protocol: any | Source: LAN Net | Destination: any over any | Gateway: Mullvad(i.e. no rule specific to DNS).
With properly configured (V)Lan rules the only traffic the FW will do over the WAN link is as follows:- WAN configuration, IPv4/IPv6- bogons/opnsense updates -- which are all signed- NTP traffic - which can be secured with ChronyEven if your scope would be possible - which I highly doubt since it would create a loop - none of the three outlined activities above would be justified for VPN only.
It's not necessarily a concern of what I'm protecting against personally, otherwise I would have reverted to the previous wireguard version until this was resolved. It's more of an issue of it not working the way it was before with how traffic is routed, which is what resulted in my Internet outage for an entire day last week. And from what it looks like in the forum, many others had issues with their Wireguard VPN connectivity as well. Also, my threat model is different than others. There may be those who have a very high threat model and their real IP being used even for updates or NTP instead of routed through their VPN is an issue. The goal of many with using a VPN as a client at OPNsense is to mask their entire network completely behind it, whether it's because of a particular threat model or just paranoia, that's their call - it just feels like this is a miss that was overlooked when implementing the new system. That being said, as mentioned earlier, NTP is not the only thing being missed by the VPN routing. Anything done at the firewall itself is not routed, only the traffic being forwarded through it. Downloading DNS blocklists from external sources? Real IP. Grabbing the latest GeoIP lists? Real IP. Doing a ping? Real IP. Doing a DNS lookup that's not pointing to your own VPN's private IP? Real IP. It's a much larger issue than just NTP or Updates.Had this been a part of a "major" update, it'd be understandable that things break. But when it's a minor update that's automatically pushed without warning of things breaking, and how the very core of how the VPN worked previously, it's kind of a big deal IMO.
What do you mean by not being part of a major update? OPNSense uses the YY.MM.minor_patch version format. Updating from 23.1 to 23.7 is not a minor update and was actually the biggest update change I've seen from the project so far. There have been a lot of information and posts about the changes and how it would affect things and not be as simple as prior updates.
Nah not 23.7 in general, that didn't cause issues for me. It was the update to 23.7.3 that broke everything. The update related to the wireguard module there is what appears to have broken things (when it went to v2.0).
Downloading DNS blocklists from external sources? Real IP. Grabbing the latest GeoIP lists? Real IP. Doing a ping? Real IP. Doing a DNS lookup that's not pointing to your own VPN's private IP? Real IP.