Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Routing between local network and Wireguard
« previous
next »
Print
Pages: [
1
]
Author
Topic: Routing between local network and Wireguard (Read 1813 times)
zoechi
Newbie
Posts: 7
Karma: 0
Routing between local network and Wireguard
«
on:
September 14, 2023, 05:10:13 pm »
I tried to get OPNSense work with Wireguard and among others tried this tutorial
-
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
-
https://forum.opnsense.org/index.php?topic=27449.0https://forum.opnsense.org/index.php?topic=27449.0
.
I try to connect to my home network from my phone.
I also looked at the RoadWarrior tutorial, but my situation is different because of CGNAT.
I have Wireguard installed on a VPS because of CGNAT (Starlink).
OPNSense and my phone connect to it.
I configured it as split tunnel, so that the phone only routes access to 192.168.2.0/24 over Wireguard
and the local network only routes 10.7.0.0/24 over Wireguard.
Direct internet access is still working fine on the local network and the phone when connected to Wireguard.
The Wireguard peers can ping each other (10.7.0.1, 10.7.0.2, 10.7.0.3),
but nothing from 192.168.2.0/24 can reach any of the other peers and my phone also can not reach anything from 192.168.2.0/24.
So for example a ping to the phone (10.7.0.2) from a local PC (192.168.2.1) or OPNSense itself (192.168.2.254) seems to never pass anything to 10.7.0.3 (OPNSense Wireguard gateway).
Ping from the local PC (192.168.2.1) to OPNSense Wireguard gateway (10.7.0.3) works though.
I added a Route to 10.7.0.0/24 over the OPNSense Wireguard gateway.
My networking and OPNSense knowledge is limited and I try to get a few confusing things out of the way.
1) When I have firewall rules to allow anything in and out, do I need the firewall rules from the tutorial to make routing work?
I assume that firewall rules are only to prevent traffic, not to redirect it, except perhaps to resolve ambiguity.
I think OPNSense should pass between 192.168.2.0/24 and 10.7.0.0/24 without any of the firewall rules in the tutorial. Is that correct.
2) Is NAT actually required to connect between phone and local network?
I assumed that this use case should work without NAT, but all tutorials include a NAT section.
I assumed this would be only be required for internet access from private addresses or in case of networks with overlapping private addresses.
Any hints on what misconceptions I'm falling for?
What also kills me is the "AllowedIPs" in Wireguard.
For split tunnel it's stated that "10.7.0.3/32" should be used.
I have this in the VPS Wireguard ("/etc/wireguard/wg0.conf"),
but on the other peers I need to use "10.7.0.3/24" and "10.7.0.2/24", otherwise the peers can not ping each other.
I probably should ask about that in a Wireguard forum instead.
Logged
zoechi
Newbie
Posts: 7
Karma: 0
Re: Routing between local network and Wireguard
«
Reply #1 on:
September 15, 2023, 11:38:47 am »
It is it working.
I just had the AllowedIPs completely backwards.
I thought it's what is allowed destination on the source, but it's allowed source on the destination
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Routing between local network and Wireguard