WireGuard Questions...

[Hoe]

Hey guys,

New here only just started using OPNsense, really impressed however I am very confused and a bit stuck setting up my VPN's with WireGuard, I can get the endpoint to connect but not pass traffic properly, probably because of firewall \ nat rules which I am trying to figure out in OPNsense world, I have used many firewalls over the years mostly enterprise gear but still I look at a lot of the OPNsense menus at bemusement almost at the moment, just need to figure some things out but we'll come back to that...

I have got so utterly confused now due to conflicting posts around the internettymcwebby! ;/

So I'll start from the top of what I am trying to achieve.

SITE A:
Cloud Server with Single NIC running OPNsense 21.1.3_3
This is a Single NIC VPS running OPNsesne this will be the middle man for any traffic coming externally back into my home, any traffic over the VPN not for my house should be routed out over the VPS's internet connection.

This way my mobile traffic is always secure yet I always have a link home active too with minimal latency.

Currently this OPNsense has it's NIC set as LAN, I had it as WAN but kept losing access and was recovering from backups all the time so I have switched over for now.

*There is a firewall above this in the VPS control Panel so only the VPN port is available anyway (exception for all traffic from my house for now).

SITE B:
Home Address running OPNsense 21.1.3_3
10.0.0.0/24
+ another remote network from this 10.10.0.0/24

DEVICE 1-3:
Mobile, Tablet, Office Desktop.

Now for the purposes of making things simple lets focus on purely the SITE A <-> SITE B link please, once I know that is working I am sure I can figure out the rest.

So SITE A the VPS needs to route all traffic to 10.0.0.0/24 and 10.10.0.0/24 over the VPN then route everything else out over it's own internet connection (using itself as DNS on the VPN interface ideally, or LAN if the single port ramains as LAN not WAN.

The VPN Range will be 10.8.0.0/24




PROBLEMS:
The first problem I find is that in OPNsense people say the local tunnel addresses need to be...

SITE A:
10.8.0.1/24

SITE B:
10.8.0.2/24 or maybe 10.8.0.2/32?

Which to me makes sense you as saying this local adapter needs to be x.x.0.2 as the remote site is already x.x.0.1.

However if I use anything other than x.x.0.1/24 in the WireGuard service will not even run?!

So other places say that both should be x.x.0.1/24 which I have tried and even seem to get a connection on, but that cannot be right as then if I ping 10.8.0.1 from either end I get a 1ms response meaning both ends are responding as 10.8.0.1 on themselves and are never going to be able to communicate with each other, especially as either site will already think that address is local as it will have it configured there.

So do I need to put an entirely dummy range one of the Local OPNsense configuration Tunnel Address to avoid the conflict?  cannot leave this field blank?!

To keep this post readable I'll put my next question(s) in a response below to separate them as otherwise this is going to be hard to follow I suspect.

[Hoe]

So my next question is routing \ firewall rules, is there any good guides that explain the way OPNsense are thinking with these layout of some of these?

Not criticising it cure there is a good reason but having used Sonicwalls, Jupilers, Fortigates, Sophos, PFSense, Cisco and got knows what other number of firewalls over the years some of this just confuses me at this point, some of it is simple and will be easy to answer some I may need to be pointed in the directly of some documents or guides if possible please.

1. WireGuard configures it's own interfrace which appears in Firewall Rules when active, some say you need to create an interface assignment for this which you can only do once the VPN is up and I have done, but now I see 2x 'WireGuard' options under Firewall Rules, WTH?! Which one do I not need to create this assignment?

2. Firewall rules, Outbound, lets say LAN > WAN, I see none, yet my understanding was if there was no rule it was blocked, I expect to see a default allow any rule somewhere am I looking in the wrong place or does it just not exist in the OPNsense world?!

3. NAT Rules, just WTF these are so confusing to me lol, I have done NAT before I just find it really unclear the thinking, at time I have got the VPN saying it's connnected though I dispute that based on IP issues mentioned above but not actually working, traffic will flow one way more than the other and only very little bits of it, I suspect I need to NAT rule which I have read is needed but when I go to create one I am so confused.

I guess it's Outbound then it asks me which interface, well IDK as I can't figure out if this means the the interface it's monitoring to forward traffic or the destination interface? Also I have 2x Wireguards of course which confuses thing further lol.


Just need to wrap my head around some of it...

Thanks for reading \ trying anyway.

[Hoe]

This is a common theme of the connections (WAN IP, Ports & Keys Removed), notice how it's only B sent...

interface: wg0
  public key:
  private key: (hidden)
  listening port:

peer:
  endpoint:
  allowed ips: 10.8.0.3/32
  latest handshake: 45 seconds ago
  transfer: 29.86 KiB received, 220 B sent

peer:
  endpoint:
  allowed ips: 10.8.0.2/32, 10.0.0.0/24

I have Hybrid NAT with an Outbound rule for the WAN Interface for the Source WireGuard net and a Firewall Rule for WAN from Source WireGuard.net.

I have switched the interfaces back to WAN only as WG does not appear to listen \ look on LAN.

Thanks

[Hoe]

Ok seems I may have sorted it, it would appear I had the following problems tripping me up...

1. WireGuard only works on WAN from what I can figure out, so if you have a Single NIC Cloud Firewall you need to have the interface configured as WAN, I did originally but started playing after failing.

2. NAT Rules were indeed an issue I over complicated it and it didn't help.

3. This was my biggest issue and what just solved everything for me, I needed to use an extra FAKE LAN IP Range on the Endpoint for the Cloud Firewall or it just wouldn't connect as it had no networks to map.

Using 0.0.0.0/0 worked however I didn't want to pass all traffic through as there is no LAN range on that box I had to just make one up for WG configuration so it would connect.

I suspect here maybe a better way probably mapping 0.0.0.0/0 then using routing rules to prevent WAN traffic leaving the house for there.

Now to figure out why it doesn't forward WAN correctly for my mobile... oh the fun!

[Hoe]

Managed to resolve this, most of my problems were caused by a mis communication with the VPS providing leaving one of the interfaces as a Private only interface! :/