OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Wireguard installation
« previous next »
  • Print
Pages: [1]

Author Topic: Wireguard installation  (Read 1942 times)

ursus

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Wireguard installation
« on: August 22, 2019, 05:51:10 pm »
So, I wanted to install WireGuard on my Firewall - read everywhere how simple that is... I followed the instructions here: https://docs.opnsense.org/manual/how-tos/wireguard-client.html and it seams as if that is for a different version of WireGuard and/or OPNsense? Setting up the routing shows me two WireGuard sections (I then renamed the interface to VPN and now I have a VPN and a WireGuard section in Rules) - which one do I use?

I would also like to help with the documentation for WireGuard, could somebody point me in the correct direction? Thx
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: Wireguard installation
« Reply #1 on: August 22, 2019, 06:16:15 pm »
If you assign an interface it's named like this in rules. Use this one when you use it. For simple setups you dont need to assign.
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

ursus

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Wireguard installation
« Reply #2 on: August 23, 2019, 02:00:22 pm »
Quote from: mimugmail on August 22, 2019, 06:16:15 pm
If you assign an interface it's named like this in rules. Use this one when you use it. For simple setups you dont need to assign.

I have tried that but cannot get it to work? Here is what I want to do: I have three IP's. I would like to use the first IP for Mail (incl. a web-frontend for mail - I am using a NAT Port Forwarding rule), the second one for a Webserver (1:1 Nat and rules) and the third one (1:1 Nat and Port Forwarding rules) to send all VPN traffic through to the LAN. The reason I want to use port 443 is that some of my customers have blocked "non normal" ports in the guest LAN.

What I want is therefore:

I am at the customer -> I try and connect to my VPN using IP x.x.x.204 and port 443 and want access to everything in 192.168.1.x/24

This is what I have created:

VPN/WireGuard/Local => Port 443 / Tunnel address: 10.10.0.0/24
VPN/WireGuard/Endpoint => Allowed Ip's: 10.10.0.0/24 / Endpoint address: x.x.x.204 / Port: 443
Firewall/NAT/One-to-One => WAN / x.x.x.204/32 => WireGuard net
Firewall/Rules/LAN => Allow all from 10.10.0.0/24
Firewall/Rules/Wireguard => Allow all from 10.10.0.0/24
Firewall/Rules/WAN => Destination: x.x.x.204 / Port: 443

What I am not sure about is:

Do I create a FireWall/NAT/Port forward rule?
How do I set the DHCP server -> without an interface I cannot assign one? Or do I just assign fixed IP's? Is VPN/WireGaurd/Endpoint => Endpoint Address perhaps the fixed 10.10.0.x address?

What am I missing :)

« Last Edit: August 23, 2019, 02:47:55 pm by ursus »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6302
  • Karma: 434
    • View Profile
Re: Wireguard installation
« Reply #3 on: August 25, 2019, 10:29:09 am »
Have you read the docs about central VPN with WireGuard? You dont need 1to1 Nat. In endpoint you dont need a port. At the endpoint device you need to add the local lan. Rest is ok. Why do you need DHCP? You can also use IP/32, makes it clearer
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

ursus

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Wireguard installation
« Reply #4 on: August 25, 2019, 02:50:51 pm »
>> Have you read the docs about central VPN with WireGuard?
nope - I'll read up about it -> think this is the link you are referring to: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

>> You dont need 1to1 Nat
ok, but how does the traffic get routed to the correct IP -> I have 3 IP's, all listening to 443? Don't I need to tell the FW that anything coming in port 443 to the 3rd IP is for WireGuard?

>> At the endpoint device you need to add the local lan


>> Why do you need DHCP? You can also use IP/32, makes it clearer
yip - you are correct! I have changed it.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Wireguard installation
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2