Author Topic: Wireguard Guidance - did I do it correctly? (Read 810 times)

Salty72 · « **on:** February 20, 2023, 11:51:08 pm »

Apologies for the long read.

I’m trying to setup a wireguard VPN tunnel that allows the following:
1. Inbound connection from a road warrior.
2. Site to site connection with other wireguard peers
3. Selective routing from LAN hosts to wireguard server as gateway to the internet.

As such, I’ve read all the guides on the opnsense website in hopes of coming up with the correct configuration.
I would appreciate any advice/insight if I’ve made a mistake (or anything I can improve on).
Wireguard Network: 10.0.10.1/24 (wireguard server is 10.0.10.1/32)
Home LAN network: 10.0.0.1/24, 10.0.1.1/24 (wireguard peer is 10.0.10.2/32)
Remote LAN network: 10.0.2.1/24 (wireguard peer is 10.0.10.3/32)
Roadwarrior: varies (wireguard peer is 10.0.10.4/32)

On HOME opnsense server:
1. Setup the endpoint peer (Wireguard server) with Allowed IP 0.0.0.0/0 to allow all the packets to be passed into the VPN tunnel. I’m hoping to use per policy routing to isolate which hosts will send internet-bound packets through the VPN.
2. Setup the local peer with 10.0.10.2/24 and disable routing to allow the opnsense server to route VPN subnet packets correctly. (see questions after my configuration description). This appears to create a 10.0.10.2/32 route and a 10.0.10.0/24 route on the opnsense server.

On wireguard server:
1. Create the HOME LAN peer configuration.
1.1. Allowed IP is set to {10.0.10.2/32, 10.0.0.1/24, 10.0.1.1/24) so all packets intended for the Home LAN is routed correctly to the HOME LAN (and allowed from the Home LAN). This should work for both site-to-site and site-to-internet (since NAT is occurring on the wireguard server).
2. Create the Remote LAN peer configuration.
2.1. Allowed IP is set to {10.0.10.3/32, 10.0.2.1/24) so all packets intended for the Remote LAN is routed correctly to the Remote LAN (and allowed from the Remote LAN). Same concept as the HOME LAN.
3. Create the roadwarrior peer configuration.
3.1. Allowed IP is set to { 10.0.10.4/32) since there are no hosts behind the roadwarrior that need to be routed.
4. Create the Server LAN peer
4.1. Nothing special here except for the NAT rule to allow internet access.

On HOME opnserver:
1. Assign the wireguard interface without an IP address because it will automatically pick it up from the local peer.
1.1. Perform stop/start on the VPN to ensure the interface picks up the IP.
2. Create the gateway using remote IP (10.0.10.1) and monitor IP (10.0.10.1).
2.1. Perform stop/start on the VPN to ensure the interface and gateway are up to date.
3. Create floating rule to allow all my Home LAN hosts to communicate with the remote LAN network (assuming I do the same on the remote LAN – still pending).
Rules: Floating
Action: Pass
Quick: True (aka first match)
Direction: Inbound
Interfaces: Both LAN interfaces {10.0.0.1/24, 10.0.1.1/24)
Protocol: any
Source: any
Destination {10.0.2.0/24, 10.0.10.0/24}
Gateway: Wireguard Gateway (Wireguard server IP)
4. Create floating rule to force specific Home LAN hosts to the use the Wireguard server internet connection (home services should not be directed to Wireguard VPN).
Rules: Floating
Action: Pass
Quick: True (aka first match)
Direction: Inbound
Interfaces: Both LAN interfaces {10.0.0.1/24, 10.0.1.1/24)
Protocol: any
Source: 10.0.1.50 (example LAN host)
Destination !{10.0.0.0/24, 10.0.1.0/24}
Gateway: Wireguard Gateway (Wireguard server IP)
5. Create a gateway rule since the Wireguard interface does not have a fixed IP (from selective routing guide step #9 and github issue #5329).
Rules: Floating
Action: Pass
Quick: False (aka last match)
Direction: Outbound
Interfaces: None (which sets it to all?)
Protocol: any
Source: WG interface address (which resolves to 10.0.10.2/32)
Destination !WG interface net (which resolves to !10.0.10.2/24)
Gateway: Wireguard Gateway (Wireguard server IP)

Everything seems to be working correctly except for a few questions/issues below.
I might have opened up some vulnerabilities so any guidance would be appreciated.

Few questions:
1. Step 4 above: For all other LAN hosts that can access the Remote LAN and/or Roadwarrior (but continue to access the internet from the Home WAN), I used a rule to force all VPN networks into the VPN gateway and set the remote peer to Allowed IP to 0.0.0.0/0. This seems like it provides more granular control than setting the remote peer Allowed IP to the specific Remote LAN network (in case it grows in the future). There was also the behaviour that opnsense was assigning an IP for each additional subnet that I wanted routed into the VPN even through I did not want an IP from the subnet to be associated to opnsense (e.g. adding 10.0.2.0/24 added 10.0.2.0 to opnsense even though I don’t control that subnet since its on the Remote LAN). Is there unforeseen risk with this approach?
2. Step 5 above: For LAN hosts that should fully use the VPN gateway, instead of creating a rule to direct non-RFC1918 networks (except LAN networks) to the VPN gateway, I choose to build the rule to direct all VPN networks to be VPN gateway. Since I need to access some services on the Home LAN network, this seems to be a better solution. Is there unforeseen risk with this approach?
3. Other: I cannot ping my VPN local peer endpoint (10.0.10.2) from the opnsense server (essentially the local VPN gateway). I can ping my other LAN interfaces (10.0.0.1, 10.0.1.1). Am I missing a rule or setting? Note that I can ping the local peer endpoint (10.0.10.2) from the Remote LAN endpoint and from Home LAN hosts.
4. I’m still trying to find a way to route all Unbound traffic to the VPN. I tried setting the Outgoing Network interfaces to the VPN interface but it did not work (help states that it only works for statically configured interfaces). Is there a different recommended method?

Thanks in advance,

Author Topic: Wireguard Guidance - did I do it correctly? (Read 810 times)

Salty72

Wireguard Guidance - did I do it correctly?