How do I route all traffic to external VPN?

[frozen]

I have AnyDesk installed and am prepared to grant anybody access to it who thinks they can assist with this - and I'd post detailed information on how to resolve this, once it's resolved - as you can see many of the top posts in this forum are regarding this topic.

I have nothing to lose, nor risk, on this machine and can easily restore from backup when the experimentation is done

I have:

Established tunnels and gateways as per instructions
Established and port forwarded wireguard so its ready to receive clients

I am ready for any assistance, thank you

[Patrick M. Hausen]

Please post the details of the IPv4 "allow all" LAN rule.

What do you mean by "receive clients"? I thought you want to tunnel LAN traffic through a static VPN to a VPS located elsewhere? This is getting more complex every day  ;)

[novel]

Please post the details of the IPv4 "allow all" LAN rule.

What do you mean by "receive clients"? I thought you want to tunnel LAN traffic through a static VPN to a VPS located elsewhere? This is getting more complex every day  ;)

Hello again my friend.

I want to tunnel all local traffic  through a wireguard tunnel to a static IP from vps. VPS has static vps. My ISP has dynamic IP. I already set in my opnsesne dynamic ddns with ddclient plugin then update every 5 minutes.

Patrick, some people pay a vpn to avoid  some restrictions in their countries. I do the same, but I have setup my vpn myself. Do you understand my project. As I said I sucessfully setup in the past with wireguard client inside the raspbbery pi, then raspberry pi forward the traffic in my pc. At the moment I want to setup wireguard client on OPNsense firewall.

I upload some pictures from my Firewall->Rules->Lan. I have to say that I havethe Automatically generated rules from the system when installed. I don't create new rules myself only 2 rules for web proxy not for wireguard server .


Finally I want your help, to setup firewall rules for wireguard.

[Patrick M. Hausen]

The IPv4 "*" rule - what are the details? Click on the edit button to the right and post a screen shot. I want to see if there is an explicit gateway set.

Also the output of netstat -rn when the tunnel is up (again, possibly, this thread is getting long).

[tiermutter]

Gateway for this rule is missing (penultimate column).

In addition you have to make sure, that traffic will not bypass VPN via v6.
If the tunnel is configured for v6 use, you also need to set a gateway for default allow v6, otherwise you need to block v6.

[novel]

The IPv4 "*" rule - what are the details? Click on the edit button to the right and post a screen shot. I want to see if there is an explicit gateway set.

Also the output of netstat -rn when the tunnel is up (again, possibly, this thread is getting long).

I have all information that you want

[novel]

Gateway for this rule is missing (penultimate column).

In addition you have to make sure, that traffic will not bypass VPN via v6.
If the tunnel is configured for v6 use, you also need to set a gateway for default allow v6, otherwise you need to block v6.

No , I thing not setup for ipv6 , please look at the netstat result.

[novel]

I have AnyDesk installed and am prepared to grant anybody access to it who thinks they can assist with this - and I'd post detailed information on how to resolve this, once it's resolved - as you can see many of the top posts in this forum are regarding this topic.

I have nothing to lose, nor risk, on this machine and can easily restore from backup when the experimentation is done

I have:

Established tunnels and gateways as per instructions
Established and port forwarded wireguard so its ready to receive clients

I am ready for any assistance, thank you

Yes I would like to see it.

[Patrick M. Hausen]

Gateway for this rule is missing (penultimate column).

Maybe I am on the wrong track, bit with no explicit gateway set and the tunnel estanlished - shouldn't OPNsense just follow the routing table?

What's puzzling me is the "destination host unreachable" for a "ping 8.8.8.8" from an internal client. Any better ideas than I had so far?

[tiermutter]

I only skimmed the whole lots of text and screenshots to not get confused...

Is there an outbound NAT rule for this VPN? In Post #7 it is inactive. This will result in not reaching anything via VPN network by clients.

Without gateway set, OPNsense follows routing table, yes... but I am unsure how to read it:
default 0.0.0.0/0 goes via WAN, but does 0.0.0.0/1 and 128.0.0.0/1 really override default route for LAN clients?
If it does, no explicit gateway in rule is necessary.

[tiermutter]

mhh... it's confusing... what is running in VPS? Is this another OPNsense? Some screenshots looks like OPNsense in VPS with WG server and some looks like OPNsense at home?!

[novel]

I only skimmed the whole lots of text and screenshots to not get confused...

Is there an outbound NAT rule for this VPN? In Post #7 it is inactive. This will result in not reaching anything via VPN network by clients.

Without gateway set, OPNsense follows routing table, yes... but I am unsure how to read it:
default 0.0.0.0/0 goes via WAN, but does 0.0.0.0/1 and 128.0.0.0/1 really override default route for LAN clients?
If it does, no explicit gateway in rule is necessary.

I am not so advance user to understand  some things....I set wireguard gateway. I already post it. Do you want to post again? I post up now port forward nat...
If you have time you can check my firewll via anydesk...

Thank you

[novel]

mhh... it's confusing... what is running in VPS? Is this another OPNsense? Some screenshots looks like OPNsense in VPS with WG server and some looks like OPNsense at home?!

I said above the other user, that wireguard vpn is installed on the vps and wireguard client I run on my home opnsense firewall.

This setup I tested on the raspberry pi. It works successfiully. Wireward client was on the raspberry now I want to setup on firewall opnsense not raspberry.

Wireguard server on the VPS  both cases are the same. I never change anything the setup form wireguard server.

[Supermule]

We stopped using OPNSense for the same reasons for VPN.

Back to RRAS in windows and it works perfectly. Connects and keeps the connection no problems.

Anything terminating at the perimeter is way to sensitive when keeping thousands of VPN's running at any one time.

[tiermutter]

Sorry, not possible for me to go remote...

As said, maybe I am confused and should shut up :D

Now you are posting screenshots of NAT port forward. There is nothing in your setup as far as I can see that requires a port forward... on VPS site access to WG server can be solved this way, but a simple allow rule on WAN should be enough.
What I mentioned was NAT outbound rules, this is required on your LAN site.

Can you please explain your whole setup?