How to route everything from lan going over VPN.

[novel]

hm, ok... please post a screenshot of your LAN FW rules

ok

[tiermutter]

I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.

I am sorry about that.

No problem... I am also no expert in networking or OPNsense...

For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.

If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...

[Patrick M. Hausen]

Do a tcpdump on the wg interface on the VPS side, and then on the external interface on the VPS side filtering on the source address of the internal LAN system. If the packets pass through the tunnel as intended - that's what we want to check - then possibly outbound NAT on the VPS side is not working as intended.

[novel]

I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.

I am sorry about that.

No problem... I am also no expert in networking or OPNsense...

For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.

If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...

It is very shame. I feel sad because there are so many users that the don't help, they don't post....

[novel]

Do a tcpdump on the wg interface on the VPS side, and then on the external interface on the VPS side filtering on the source address of the internal LAN system. If the packets pass through the tunnel as intended - that's what we want to check - then possibly outbound NAT on the VPS side is not working as intended.

Patrick I fixed not with correct way. Please help to fix with correct way. No I connected through the vpn, I disabled the WAN_DHCP gateway so there only vpn gateway that is working.

[novel]

I know this is hardship for you. I am newbie with opnsense. I have a couple days installed.

I am sorry about that.

No problem... I am also no expert in networking or OPNsense...

For the moment I have no idea where the problem is located...
VPN is up and running
Routing for 8.8.4.4 (GW monitoring) is working
Routing for LAN clients is not working.... Routing by FW rule is ok... NAT issue?
Please post a screesnhot of your outbound NAT overview.

If this is fine, I am out of ideas, but maybe then we should try routing via alias in next step...
... changing gateway priority is no option for me...

I fixed my friend...I already post to Patrick. I disabled wan_dhcp. We have to correct way to work correctly   :) :) :) :) :) :) ;) ;) ;) :D :D

[Patrick M. Hausen]

If the wireguard interface on your VPS is wg0, then with the VPN active do a ping 8.8.8.8 on some internal client and at the same time as root on the VPS:

Code Select Expand

tcpdump -n -i wg0 icmp

If the interface is not wg0, then adapt accordingly.

If you see the packets from the internal client, then the VPN tunnel is ok. If you don't it's a problem with the tunnel.

Assuming you see the packets then repeat the procedure but instead of wg0 use the external interface of your VPS (eth0 or similar).

[tiermutter]

There already is an automatic rule for WG in outbound NAT.
I am unsure about the impact it has (I guess none), but I am sure you don' need it...

@Patrick outbound NAT on VPS is working since we can ping 8.8.4.4 (GW monitor IP) from OPNsense.
Am I wrong?

[tiermutter]

oops... I am late, so much happened last 15 minutes...

Changing GW priority (or removing WAN GW) was what I wanted to prevent.
This is a workaround for the routing issues we have, but not a proper way to go.
However... is everything now working so far?

[novel]

If the wireguard interface on your VPS is wg0, then with the VPN active do a ping 8.8.8.8 on some internal client and at the same time as root on the VPS:

Code Select Expand

tcpdump -n -i wg0 icmp

If the interface is not wg0, then adapt accordingly.

If you see the packets from the internal client, then the VPN tunnel is ok. If you don't it's a problem with the tunnel.

Assuming you see the packets then repeat the procedure but instead of wg0 use the external interface of your VPS (eth0 or similar).

Patrick I did as you said...Please look the screenshot. ping from my laptop is ok but I have high time=80.9 ms

[Patrick M. Hausen]

So it's working now. Great! What did you expect but something in the 100 ms range? You are tunneling to a different country, aren't you.

[novel]

oops... I am late, so much happened last 15 minutes...

Changing GW priority (or removing WAN GW) was what I wanted to prevent.
This is a workaround for the routing issues we have, but not a proper way to go.
However... is everything now working so far?

Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?

[novel]

So it's working now. Great! What did you expect but something in the 100 ms range? You are tunneling to a different country, aren't you.

Yes different country. If is it aceptable this ms that's fine Is it logical ms patrick ?

Yes my friend Patrick. How can I fixed with correct way? Now I disabled wan_dhcp...to work the vpn. The gateway must change automatically when enable the vpn or disable.

[tiermutter]

Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?

For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...

[novel]

Yes , It working, but I disabel wan_dhcp to work. It is not correct way...How to fix it?

For me, this is not the proper way. Maybe just a matter of mind, I don't know, never tried / tested this...
Connection to VPN is now still established... but what will happen after connection loss / reboot? Without WAN GW OPNsense WG client will not be able to connect... will it?
Changing priority instead of disabling WAN GW would be better, but -as said maybe a matter of mind- not the righteous way to go...

Normally  gateway must automatically when enable or disable the vpn, but in my case not happen. So I have to change to 253 the vpn gateway?