netstat -rn, not netstat -m ...Also: you are trying to set up, a VPN tunnel to some VPS in some cloud, right? So you must have installed and configured WireGuard at that end ...
Yes, of course.
Looks good. Specifically the netmasks and allowed IPs.So to approach this a bit more systematically - could you change the allowed IPs on the OPNsense side to 10.217.30.1/32?Then with the tunnel up your general Internet access and routing should not be influenced in any way.But logged in to the firewall with ssh you should be able to ping 10.217.30.1. The other way round logged in to the VPS you should be able to ping 10.217.30.2.As long as that is not the case you need not worry about routing, gateways, whatever ... for some reason the tunnel is simply not established.Did you add a firewall rule on WAN (on OPNsense) permitting the WireGuard UDP port in? Is there a firewall active on the VPS, possibly?HTH,Patrick
If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.
Quote from: Patrick M. Hausen on November 22, 2023, 04:10:08 pmIf you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.Patrick, this setup (Wireguard Server and Wireguard CLient) I have been tested on raspberry. Wireguard server is the vps as it is now, and wireguard client was on the raspbery with debian. This setup is working successfully. Now I want to setup wireguard client on OPNsense firewall. So for your question about NAT my answer is that I already have masquarde to outbound and I have already port forward from VPS (wireguard server 10.217.30.1) to wireguard client opsense (10.217.30.1) Do you want post all iptables rules?So, I connect via ssh to vps wireguard server, then from terminal I ping 8.8.8.8 with success. what command do you need for tcpdump? What I have to do? I have to ping 8.8.8.8 inside vps and from the second terminal on my local computer tcpdump? tcpdump what? I don't know what command I have to ...Thank you Patrick!!
You need to ping from a client behind your OPNsense and tcpdump on the external interface of the VPS - why did you do it the other way round? Did I completely misunderstand anything? You want all Internet directed traffic from your LAN routed through the tunnel so it uses the IP address of the VPS as its exit point. Right?I want to check if the packets originating from your LAN- make it through the tunnel- make it to the outside interface of the VPS- are correctly masqueraded at that location
Do you have an explicit gateway set in you firewall rule on LAN?
What do the firewall rules on LAN look like? I don't know what to put there, because I don't know all you want to achieve. But I am an experienced network engineer. I can look at an existing set of rules and say "look, that's why the packets are not entering the tunnel". I just have not found the cause yet.Did you already post a screenshot of Firewall > Rules > LAN above? If not, please do so.
