How to access to GUI OPNsense from WAN ?

[novel]

Hello,

I read some posts here but I didn' find a solution.

How to connect from my mobile to opnsense GUI from wan. Now from lan OPNsense address is 192.168.1.1.

Please does anyone knows what is address after https// to connect need from wan? What firewall rules , do I need to connect.

I use default firewall rules from scratch. In System ->Administrator I have Listen Interfaces - All

[Patrick M. Hausen]

Firewall > Rules > WAN

Click on the "+" to add a rule. Add this rule:

Action: allow
Source: any
Destination: WAN address
Destination port: 443

That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.

Also please start to read the documentation.

[novel]

Firewall > Rules > WAN

Click on the "+" to add a rule. Add this rule:

Action: allow
Source: any
Destination: WAN address
Destination port: 443

That's should be it. I would also go to Firewall > Settings > Advanced and check "Disable anti-lockout". I don't like "magic" things going on without explicit configuration.

Also please start to read the documentation.

I did everything you said. Which is address do I have to put on firefox? https//   <- what?

[Patrick M. Hausen]

External WAN address of your OPNsense ...

[novel]

External WAN address of your OPNsense ...

Do you mean the public Ip or IPV4 of wan address? I use both but It didn't work.

[Patrick M. Hausen]

IPv4 of WAN address should be a public IP. Isn't it? If it isn't, why?

[novel]

IPv4 of WAN address should be a public IP. Isn't it? If it isn't, why?

Yes , WAN it Is the public. I am behind CGNAT I use vpn server instead WAN to bypass CGNAT. It is the same. I use the public the public of vpn.

Whole my lan works with VPN . All traffic goes to vpn so, I bypass the cg nat. So for my post I use public IP from vpn but I cannot access to web interface through WAN

[tiermutter]

Sorry, this will not work since I am sure you do not have a public routable IP for your VPN interface... whatever this public IP is (VPN server IP???), it will not allow you to connect to your sense.

Behind CGNAT you can only gain direct access via v6.

[novel]

Sorry, this will not work since I am sure you do not have a public routable IP for your VPN interface... whatever this public IP is (VPN server IP???), it will not allow you to connect to your sense.

Behind CGNAT you can only gain direct access via v6.

To bypass this problem I run wireguard client on raspberry behind OPNsense. The topology is: Main router -> raspberry wiregurard -> OPNsense. I tested with the previous firewall. It works 100%

I am going to try here with OPNsense.

Do you mean tha IPV6 can avoid this problem?

[tiermutter]

Sorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?

As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.

[tiermutter]

Do you mean tha IPV6 can avoid this problem?

You can use ipv6 instead of v4 to reach your sense or home nework, yes.
Even with CGNAT you should get a public v6. I am also behind CGNAT using v6 to connect via VPN to gain access to my whole LAN (even via internal v4 addresses).

[novel]

Do you mean tha IPV6 can avoid this problem?

You can use ipv6 instead of v4 to reach your sense or home nework, yes.
Even with CGNAT you should get a public v6. I am also behind CGNAT using v6 to connect via VPN to gain access to my whole LAN (even via internal v4 addresses).

Thank you for information. Do you have static prefix on IPV6? or do you use ddclient to update IP?

So, do you use vpn to have inbound traffic to opnsense and port forward? Do you use vpn for any other reason?

[tiermutter]

A) No static prefix, but actually it has never changed the last 2 or 3 years.
B) Yes, I use ddclient for updatating IP, but since I never had change in the past years, I am not sure if it really works or not. 
C) Unsure what you mean... After establishing VPN connection from client so sense I have access to all my LAN/ VLAN at home and clients will use (per my default) my home WAN connection. No need for any port forwards.
D) Other reasons? No... simply ta have access to my home nets and to use my home WAN connection and also DNS resolver. I have also two NAS as VPN clients to realize external backups (I don't want site to site connection here). Anyting more to achieve with a roadwarrior VPN?  My sense also is VPN client (nord vpn) but I use it only for a couple of devices...

[cookiemonster]

Sorry, I don't understand how exactly this should work...
Can you provide a detailed network diagram (devices, addresses, routes, ...) of your old setup where this  worked?
Are there any other services in this setting like portmapper? What is the exact role of your VPS (Now i remember this, but it is not mentioned in this thread!)?

As said in other threads: Details are missing! You cannot assume that everyone knows your setup or that Patrick or me will always remember details posted across 3-5 threads.

this is why I with regret, even with Private Messages, I have had to stop trying to help. We keep getting single couple-liners to ask a question, but he has this convoluted setup that he fails to include on each thread. So everyone tying to help has to spend a lot of time to discover that in the end. Sorry OP but you have been asked many times to include all your setup. We're trying to help for free whilst holding day jobs. It's not fair to do it the way you are doing it so far.

[tiermutter]

+1

Could really be much easier to help and understand the situation and the whole desired setup.