How do I route all traffic to external VPN?

[Patrick M. Hausen]

netstat -rn, not netstat -m ...

Also: you are trying to set up, a VPN tunnel to some VPS in some cloud, right? So you must have installed and configured WireGuard at that end ...

[novel]

netstat -rn, not netstat -m ...

Also: you are trying to set up, a VPN tunnel to some VPS in some cloud, right? So you must have installed and configured WireGuard at that end ...

Yes I have setup a wireguard server on VPS in other country. Do you want the setup of wg0.conf file of wireguard server???

[Patrick M. Hausen]

Yes, of course.

[novel]

Yes, of course.

Here we go...

[Patrick M. Hausen]

Looks good. Specifically the netmasks and allowed IPs.

So to approach this a bit more systematically - could you change the allowed IPs on the OPNsense side to 10.217.30.1/32?

Then with the tunnel up your general Internet access and routing should not be influenced in any way.

But logged in to the firewall with ssh you should be able to ping 10.217.30.1. The other way round logged in to the VPS you should be able to ping 10.217.30.2.

As long as that is not the case you need not worry about routing, gateways, whatever ... for some reason the tunnel is simply not established.

Did you add a firewall rule on WAN (on OPNsense) permitting the WireGuard UDP port in? Is there a firewall active on the VPS, possibly?

HTH,
Patrick

[novel]

Looks good. Specifically the netmasks and allowed IPs.

So to approach this a bit more systematically - could you change the allowed IPs on the OPNsense side to 10.217.30.1/32?

Then with the tunnel up your general Internet access and routing should not be influenced in any way.

But logged in to the firewall with ssh you should be able to ping 10.217.30.1. The other way round logged in to the VPS you should be able to ping 10.217.30.2.

As long as that is not the case you need not worry about routing, gateways, whatever ... for some reason the tunnel is simply not established.

Did you add a firewall rule on WAN (on OPNsense) permitting the WireGuard UDP port in? Is there a firewall active on the VPS, possibly?

HTH,
Patrick

Where is this option to change? Would you like to give me more specific details? Do you mean from  instanse inside opnsense ?
I already have 10.217.30.1/32 in section allowed IPs . Look at my pictures in previous posts.

Inside firewall opnsense I am able to ping 10.217.20.1. From the other side inside the vps server I am able to ping 10.217.30.2 too.


I post firewall rules that I have  inside OPNsense Firewall->Rules>Wan

Please, look at my pictures carefully...


Thank you Patrick!

[Patrick M. Hausen]

If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.

[novel]

If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.

Patrick,  this setup (Wireguard Server and Wireguard CLient) I have been tested on raspberry. Wireguard server is the vps as it is now, and wireguard client was on the raspbery with debian. This setup is working successfully. Now I want to setup wireguard client on OPNsense firewall. So for your question about NAT my answer is that I already have masquarde to outbound and I have already port forward from VPS (wireguard server 10.217.30.1)  to wireguard client opsense (10.217.30.1)  Do you want post all iptables rules?

So, I connect via ssh to vps wireguard server, then from terminal I ping 8.8.8.8 with success.

what command do you need for tcpdump?  What I have to do? I have to ping 8.8.8.8  inside vps and from the second terminal on my local computer tcpdump? tcpdump what?  I don't know what command I have to ...

Thank you Patrick!!

[novel]

If you can ping already - I somehow missed that - do a tcpdump on the public network interface of your VPS while you ping e.g. 8.8.8.8. Most probably the packets are leaving the VPS directed to the Internet with a source address of 10.217.30.2. That won't work. You need to add NAT on the VPS for outbound packets coming from your VPN tunnel.

Patrick,  this setup (Wireguard Server and Wireguard CLient) I have been tested on raspberry. Wireguard server is the vps as it is now, and wireguard client was on the raspbery with debian. This setup is working successfully. Now I want to setup wireguard client on OPNsense firewall. So for your question about NAT my answer is that I already have masquarde to outbound and I have already port forward from VPS (wireguard server 10.217.30.1)  to wireguard client opsense (10.217.30.1)  Do you want post all iptables rules?

So, I connect via ssh to vps wireguard server, then from terminal I ping 8.8.8.8 with success.

what command do you need for tcpdump?  What I have to do? I have to ping 8.8.8.8  inside vps and from the second terminal on my local computer tcpdump? tcpdump what?  I don't know what command I have to ...

Thank you Patrick!!

UPDATE
from terminal inside VPS I put "ping 8.8.8.8" then the second terminal on my local home pc I put "sudo tcpdump -i enp35s0 dst <PUBLIC IP WIREGUARD SERBVER>

The result: are when I put tcpdump -i.......to vps I have no result from tcpdump. When I ping 8.8.8.8 from vps then I have result from tcpdump ....I thing that it is ok ... Do you want to send you screenshot from ping and tcpdump?

[Patrick M. Hausen]

You need to ping from a client behind your OPNsense and tcpdump on the external interface of the VPS - why did you do it the other way round? Did I completely misunderstand anything? You want all Internet directed traffic from your LAN routed through the tunnel so it uses the IP address of the VPS as its exit point. Right?

I want to check if the packets originating from your LAN

- make it through the tunnel
- make it to the outside interface of the VPS
- are correctly masqueraded at that location

[novel]

You need to ping from a client behind your OPNsense and tcpdump on the external interface of the VPS - why did you do it the other way round? Did I completely misunderstand anything? You want all Internet directed traffic from your LAN routed through the tunnel so it uses the IP address of the VPS as its exit point. Right?

I want to check if the packets originating from your LAN

- make it through the tunnel
- make it to the outside interface of the VPS
- are correctly masqueraded at that location

First of all I am not sure if I understand what did you say.

Inside GUI OPnsense I enabled the wireguard vpn

then from my local pc I put ping 8.8.8.8 the result are negative.

PING 8.8.8.8  bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable

Then from terminal VPS wireguard server I put sudo tcpdump -i eth0 dst  PUBLICK IP OF VPS  ----NOT MY PUBLIC IP FROM MY COUNTRY

THE RESULT ARE ...LOOK AT THE PICTURE

I am not sure if you want this..

[Patrick M. Hausen]

Do you have an explicit gateway set in you firewall rule on LAN?

[novel]

Do you have an explicit gateway set in you firewall rule on LAN?

No I don't know what firewall rules I have to put. Please show me ....what rules I have to put....Please

Look at the gateway and routes....

[Patrick M. Hausen]

What do the firewall rules on LAN look like? I don't know what to put there, because I don't know all you want to achieve. But I am an experienced network engineer. I can look at an existing set of rules and say "look, that's why the packets are not entering the tunnel". I just have not found the cause yet.

Did you already post a screenshot of Firewall > Rules > LAN above? If not, please do so.

[novel]

What do the firewall rules on LAN look like? I don't know what to put there, because I don't know all you want to achieve. But I am an experienced network engineer. I can look at an existing set of rules and say "look, that's why the packets are not entering the tunnel". I just have not found the cause yet.

Did you already post a screenshot of Firewall > Rules > LAN above? If not, please do so.

Please, look at the firewall rules