How to route everything from lan going over VPN.

[novel]

There is only one LAN Interface with Internet connection.
There is only one WAN.

I recently installed a OPNsense firewall with default firewall rules,   default NAT,   default Gateways,  no IPV6


I want to setup from scratch everything from LAN going over vpn (wireguard).

CONFIGURATION
I have already setup with success wireguard server on the VPS. On VPS I use Debian bookworm, Now I want to make a configuration with OPNsense firewall as wireguard client , then OPNsense sent all traffic to the VPS.

How can I do that?

[tiermutter]

Ok, let's go

First of all, let's prove everything is configured and working as expected to not have any surprises later on...

1a) Ping 8.8.8.8 and google.com from Sense shell. Post the output, I would like to see the latencies.
1b) Ping 8.8.8.8 and google.com from LAN client. Post the output, I would like to see the latencies.
1c) Post screenshots from sense config:
I) System: Gateways: Single
II) Interfaces: Overview (do not extend entries)
III) Firewall: NAT: Outbound

[novel]

Ok, let's go

First of all, let's prove everything is configured and working as expected to not have any surprises later on...

1a) Ping 8.8.8.8 and google.com from Sense shell. Post the output, I would like to see the latencies.
1b) Ping 8.8.8.8 and google.com from LAN client. Post the output, I would like to see the latencies.
1c) Post screenshots from sense config:
I) System: Gateways: Single
II) Interfaces: Overview (do not extend entries)
III) Firewall: NAT: Outbound

Ok , I sent all information that you want.

Both sides of ping works perfect

[tiermutter]

Looks fine so far. You missed the ping from a LAN client (eg a computer), but I assume it will work.

Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it, but for now we use this one to see the gateway / VPN itself is up.


Next we will test WG connection and config.
2b) Post a screenshot of
I) System: Gateways: Single
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 10 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but put LAN net as source address.
III) Lobby: Dashboard interface section

[tiermutter]

I missed that RasPi interface. You said you do not have further interfaces than WAN and LAN.
Remember: This Raspi Interface will no longer be accessable!
If you need that interface we shall proceed in another way. If you do not need this Interface anymore: remove it.

[novel]

Looks fine so far. You missed the ping from a LAN client (eg a computer), but I assume it will work.

Step 2 is configuring WG client on sense.
2a) Configure according to step 1-6 https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
Pay particular attention for step 6 "monitor IP". Please set debians's WG endpoint IP, later we will change it, but for now we use this one to see the gateway / VPN itself is up.


Next we will test WG connection and config.
2b) Post a screenshot of
I) System: Gateways: Single
II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but leave source address blank.
III) Lobby: Dashboard interface section

I have good news. The interface raspbberry I need it for other using. Now, It is disabled, without any cable connected.

I have wg up and first time I saw , send and receive packets and handshake, but I am not connected to publick ip of vpn. I still have my ISP ip. So, I have all information you need.

I followed the  steps 1-6 . Inside gateway single I created as the example then I put monitor IP  10.217.30.1 and  gateway IP 10.217.30.1 . This ip is from wg debian server as you said.

As far from configuration nothing created NAT outbound. I went to  step 9 as you said but step 9 say create Firewall ‣ Rules ‣ Floating . I did the same.

I have normal connection from my ISP with wg enabled. Now It need to change the gateway...
I post all screenshots

[tiermutter]

Fine, WG looks good. We will care about routing all over VPN in step 3...

Now we will try routing one IP over VPN and see if it works...
2c) Go to System: Gateways: Single and change WG monitor IP to 8.8.4.4
2d) Traceroute 8.8.4.4 from Sense shell, post the output.

[novel]

Fine, WG looks good. We will care about routing all over VPN in step 3...

Now we will try routing one IP over VPN and see if it works...
2c) Go to System: Gateways: Single and change WG monitor IP to 8.8.4.4
2d) Traceroute 8.8.4.4 from Sense shell, post the output.

Perfect, the blur places on the screenshot show the public IP of VPS then the publick IP from ISP.

I am very happy 

[tiermutter]

Perfect my friend

Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.

[tiermutter]

BTW:
For my feelings latency is very high, according to previous screenshots I would expect about 50-60ms.
Maybe there is a need for some tuning later, but no problem for the moment.

[novel]

Perfect my friend

Step 3 is to achieve that LAN clients will use VPN only.
3a) Go to Firewall: Rules: LAN and find the v4 default allow rule. Edit it and set the VPN as gateway.
3b) At Firewall: Rules: LAN find the v6 default allow rule. Disable it to make sure no traffic will go over WAN via v6 overriding your VPN. This is only suitable if IPv6 is activated for LAN/WAN.
3c) Post a screenshot of System: Routes: Status
3d) Traceroute 8.8.8.8 from LAN client (eg PC, not from sense!), post the output.
3e) Traceroute google.com from LAN client (eg PC, not from sense!), post the output.

As I said before gateway not change, I change the gateway on default route ipv4 and I disable ipv6.

traceroute google.com shows

google.com: Name or service not known
Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)

traceroute 8.8.8.8 shows only

 1  _gateway (192.168.1.1)  0.471 ms  0.451 ms  0.368 ms
2. * * *
3  * * *

[novel]

II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but


Here step 9 it is not nat outbound. It is firewal > rules > floating . Did you see it ?

[tiermutter]

As I said before gateway not change

What exactly does that mean? You need to change the gateway in that rule from default / emtpy to the VPN.
Is VPN gateway not shown there in dropdown or what is the problem?

I change the gateway on default route ipv4 and I disable ipv6.

What exactly does that mean? Please post screenshots of your changes.

[tiermutter]

II) Firewall: NAT: Outbound
=> if there is no entry for WGnet, go to step 9 of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html but


Here step 9 it is not nat outbound. It is firewal > rules > floating . Did you see it ?

give me minute...

[tiermutter]

I am sorry... it is step 10...

Now corrected this in original post...