Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard Opnsense (server) with 4 clients - finally working
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard Opnsense (server) with 4 clients - finally working (Read 2395 times)
Hopmeister
Newbie
Posts: 14
Karma: 1
Wireguard Opnsense (server) with 4 clients - finally working
«
on:
November 05, 2021, 10:42:32 am »
Hello all,
APU4, Opnsense version 21.7.4, Amd64
I have multiple laptops and phones (work and personal) in my house hold and I've had OpenVPN and OpenWRT working faultlessly for years but I've decided to update my setup.
Setup is now FTTP (150/30) from ADSL FTTC, moved to Opnsense (APU4) as my main router/gateway and demoting OpenWRT WRT3200 AP/switch to now being a dumb AP, building VLAN's (DMZ, IoT, work lan and wife lan) and getting them working (tricky little things).
Traffic shaping finally working, including getting bufferbloat A+ results, which was much easier on OpenWRT. I use Pihole but my wife loves the Google ads and searches so she has her own VLAN with no Pihole
Keeps her happy.
It's been a long journey as both my wife and myself now have to work from home (thanks Covid) and I only have limited time to play / test / break / fix my networks, or risk the anger of an angry wife. So the WAF (wife acceptance factor) has to be so that she can't see I've upgraded.
I'm sure it can still be improved, but as of now it's working seamlessly and passed the WAF test
After reading so many web sites and tutorials that my eyes have gone blind
I finally have it working. There are always one or two steps that are missing. There may be a different way, or many different ways, but this works for me, including with Unbound adblocking for the WireGuard peers (clients). I actually want to use Pihole in this chain but I've yet to work out the firewall & port forward rules for this, working multi-peer Wireguard was my priority.
This may be utterly obvious to those that are wise owls, but to someone always learning and new to WireGuard ONE missing step has had me baffled for weeks. I had a feeling it was firewall related, and it was!
You need to add rules to the WAN interface per WG* interface as well as rules for each WG* interface.
So I hope this helps someone else
I will assume that you have one working road warrior into your wireguard server and now you want to add more devices. Once you have one fully working setup then it is just a matter of cloning the existing setting but increasing ports and interfaces to match.
I use the same server IP 10.0.0.1/24
Peers are:
10.0.0.2/32
10.0.0.3/32
10.0.0.4/32
10.0.0.5/32
Getting one peer (client) up and running is easy enough if you follow all the usual tutorials. It is getting multiple peers (clients) working as well that I'll explain. See below.
I will type up a nice step by step tutorial document over the next few weeks and post it on here. It's nice to be able to finally share knowledge back.
You need to add firewall rules on the WAN that match the ports you are using, so here is an example.
These are the MISSING instructions from everything I have read so far
.
Firewall WAN:
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
Now for the next bit, look at the interface number and port. They have changed
WG0 protocol ipv4/6, source *, port *, destination WAN address, port 51820, gateway *, schedule *, description - what ever you want to call it - Allow WG0 remote access to the WireGuard VPN
WG1 protocol ipv4/6, source *, port *, destination WAN address, port 51821, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
WG2 protocol ipv4/6, source *, port *, destination WAN address, port 51822, gateway *, schedule *, description - what ever you want to call it - Allow WG1 remote access to the WireGuard VPN
Repeat these incremental interface and port number steps for EVERY client (peer) that you want to access your WG server.
Also each interface has it's own firewall rule, which are below the WAN rule on my server. Mine start with WG0, WG1, WG2, WG3 and WG4.
Rules are:
protocol ipv4/6, source WG0 net and description "WG0 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG1 net and description "WG1 inbound allow". All the other options are * (any).
protocol ipv4/6, source WG2 net and description "WG2 inbound allow". All the other options are * (any).
NAT outbound rules:
Clone the rule for WG0 and adjust it to match the interface ie WG1, WG2 etc
DNS:
I have Unbound working on my opnsense with adblocking. Make sure you add EACH interface that you want to use Unbound to the configuration.
Unbound / general / network interfaces
When you have completed all that, I go to the lobby page and re-start wireguard-go.
After the missing WAN rules it's all working for me
«
Last Edit: November 05, 2021, 10:51:41 am by Hopmeister
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard Opnsense (server) with 4 clients - finally working
«
Reply #1 on:
November 05, 2021, 10:56:24 am »
This is in fact not necessary at all. You can have multiple clients connecting on the one wg device on OPNsense. For example, I have three clients connecting to wg0
Did you read the official docs?
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Logged
Hopmeister
Newbie
Posts: 14
Karma: 1
Re: Wireguard Opnsense (server) with 4 clients - finally working
«
Reply #2 on:
November 05, 2021, 12:28:17 pm »
Hi yes,
The docs are not clear (to me or I didn't see it or misunderstood them) in stating that you need separate ports per client/peer or not. As I understood it only different IP's were required. But that didn't work. Only one client would connect. They are very technical and some of the knowledge is or was above my own at the time.
Thanks for the reply, I will try and follow the official guide again once I'm home as I'm on holiday at the moment and needed to get it working so I can stream the football from my house to my laptop.
Thanks Greelan.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard Opnsense (server) with 4 clients - finally working
«
Reply #3 on:
November 05, 2021, 12:33:54 pm »
The docs only tell you to configure one local config. But they do note that you can configure as many endpoints as you need for clients (each with a unique IP in the subnet created in the local config). Just make sure you add all the endpoints into the local config
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard Opnsense (server) with 4 clients - finally working