Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Routing a public /29 via WireGuard
« previous
next »
Print
Pages: [
1
]
Author
Topic: Routing a public /29 via WireGuard (Read 993 times)
thedaveCA
Newbie
Posts: 5
Karma: 0
Routing a public /29 via WireGuard
«
on:
November 06, 2023, 01:38:51 am »
Hey there! Doing something new to me in WireGuard and having a bit of an issue.
OPNsense 23.7.7_3 with os-wireguard (kernel).
I have a /29 subnet that I'd like routed to me over WireGuard, to assign more public IP addresses to my OPNsense box.
I've done this type of configuration with the subnet routed directly to me by my ISP, but I've been forced to switch ISPs and don't have this option, and luckily I found a local-ish provider that can sell me IPs via VPN.
I set up a tunnel with the 6 usable IP addresses as the Tunnel Address each as a /29 (is that correct? Or should these be individual /32s? Or one /29 for the whole network?). And in the Peer I set Allowed IPs 0.0.0.0/0 as I want to be able to receive traffic from any IP.
I also added the same usable IPs as Virtual IPs type Other, so that they appear in the OPNsense GUI in various places.
I'm a bit unclear about whether I want to use "Disable routes" or not, I think I want Disable routes enabled because I do not want to redirect all traffic. With "Disable routes" not selected everything seems to work (the routed IPs are pingable from outside, and my existing NAT rules that apply to all interfaces apply), but this interferes with normal traffic to some extent. With "Disable routes" unselected, the IPs are not pingable or otherwise accessible from an external perspective.
In both cases I have various Firewall rules on the wg interface, such as allowing all ICMP, as well as allowing 80/443 for haproxy on my OPNsense box, plus some NAT rules (25 to reach my internal SMTP server). This all works with "Disable routes" enabled, but stops working with "Disable routes" disabled and I'm not completely sure why.
I've mucked around with Virtual IPs either in IP Alias or Other states without change, as well as tried a few permutations of Tunnel Addresses, but I can't get it working reliably without it trying to route at least some traffic across the tunnel.
My provider could offer OpenVPN instead if this would be more useful, but I already use WireGuard for "road-warrior" setups and connectivity to some remote server and I would rather not increase complexity with multiple VPN platforms running unless necessary.
Thanks!
Logged
thedaveCA
Newbie
Posts: 5
Karma: 0
Re: Routing a public /29 via WireGuard
«
Reply #1 on:
November 06, 2023, 10:59:19 pm »
One other discovery, I had this working with the old WireGuard before, so on a lark I switched back and... Using the old WireGuard and listing the IPs as normal Virtual IPs, everything works and has been running solid for over 12 hours.
On the kernel WireGuard I can get it running for a short time, until either outbound traffic from OPNsense itself starts failing (taking DNS with it) or the tunnel itself stops responding.
It's feeling like a bug/problem in the kernel WireGuard (but of course this is not certain, if my configuration is bad it might still happen to work in the old WireGuard for various reasons -- Nonetheless, it is possibly a clue).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Routing a public /29 via WireGuard