Remote Access to OPNSense 24.7_9

[tim777]

Hi,

I have just installed the new version of OPNsense 24.7_9 and established I-Net connection and even set up Nord VPN as per Nord instruction on their site. All outgoing connections over VPN are fine.

Now, I want t access the FW from the WEeb.  As a newbie I'm not even able to find the WAN IP from the provider to check if it works. I also have domain name from my I-Net provider myname.domain.xy (xy=cuntry code) The access does not work. I wanted to try via IP but don't know where to find it.

I need to know how to set the rule to access the Web IF. (see screenshot)

And how to set up Dynamic DNS. Especially what host name and what protocol, as service I chose custom.
On my Vilfo router I just had to put the domain name, no user name or password was necessary.

I did both but probably wrong.

Thanks!

[Aerowinder]

Do not do this.

[nodakbarnes]

So doing this if you don't know what you're doing is asking for trouble.

I have access to it via WireGuard and keep my dynamic IP updated with no-ip via os-ddclient (Custom Service: DynDNS 2).

There is currently a bug in OPNSense 24.7 that does not show the PPPOE public WAN IP address properly but Google can help with finding that (and the bug does not affect DDNS which still detects the proper public WAN IP).

Also, I have TOTP setup for login to the web interface.

If you setup WireGuard properly there are no additional firewall rules needed to allow web interface access (besides the single WireGuard port).

And for the love of God please delete the rule you've applied to the firewall to allow port 80 access from the WAN (if you don't know why this is an issue please consider another product - perhaps FireWalla)!

[tim777]

Thank you guys!

The rule is disabled.


Well, I don't care how I can access the FW from outside, the more secure the better, of course. Will look to the Wireguard tutorials. But I can imagine I need the IP address, which I dot see now, because all traffic goes trough Nord VPN.

I have installed os-ddclient, but not sure if it is set up properly, since I couldn't access the FW via WAN IF.  But it is needed for Wireguard, I guess.


Please help me with it, because I will need to leave the location in a couple of days and it should work until then, otherwise I have to return (again) to Vilfo, which is still there as backup.

Thanks again!!!

[cookiemonster]

Because you have now setup your router with your new provider, your public IP address from your ISP will be on the wan interface now. Interfaces > Overview will show it.
The VPN tunnel will not change that.
To manage your firewall from another network regardless of the VPN tunnel whether is up or not, you would create a separate VPN tunnel with the public ip ie WAN from your isp being the endpoint or peer in wg parlance.
This is where a dynamic dns setup comes into play. You get one and can be a free one and use the dynamic dns client on OPN so that the dns entry gets updated if/when your public ip (again from your ISP) changes. Then your VPN client on your device external to OPN gets setup with that dns as the endpoint.

[tim777]

Thanks a lot @cookiemonster!

Now I know how to see my external IP - check on that. (a lot of stuff to learn  :o)

I have a domain name from my I-Net provider. Can I use that one? If yes, how?
if not how to set up OPN dyndns.

In the online manual are different scenarios for Wireguard.

In a next step, I will do site-to-site, because I will install OPN on the FW in the location A too, end of next week. But before, I just need to have access somehow to this FW in location B, from the internet.

Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?

[cookiemonster]

> I have a domain name from my I-Net provider. Can I use that one? If yes, how? if not how to set up OPN dyndns.

https://docs.opnsense.org/manual/dynamic_dns.html

> Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?
https://docs.opnsense.org/manual/vpnet.html
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

[tim777]

> I have a domain name from my I-Net provider. Can I use that one? If yes, how? if not how to set up OPN dyndns.

https://docs.opnsense.org/manual/dynamic_dns.html

Hi, I've been trough this. I can see that the ddclient as green in the dashboard. Still, I don't know if configured properly, sicne I don't know which protocol I should use,  I chose "none", as server and host I put myname.domain.xy. No password no user. According to my provider, as soon as I activate the DDNS on their side in my account everithing is done. So maybe I don't even need a client on the FW?

However, I can not connect with a WG client from my smartphone.

> Is there maybe a good vid or instruction, how to set it up properly to access via WG Client?
https://docs.opnsense.org/manual/vpnet.html
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

As I said, firs I need to connect via a WG client to the FW/network, to be sure I can access it somehow. Site-to-site will follow as soon as I'm in location A and set up OPNsense there.

So how to connect via App on Smartphone or other PC (Linux, Mac) from the internet?

With Vilfo I've used OpenVPN.

[cookiemonster]

> So how to connect via App on Smartphone or other PC (Linux, Mac) from the internet?
what about the next chapter on the same manual:  https://docs.opnsense.org/manual/how-tos/wireguard-client.html
Unless I'm misunderstanding your question.
If the peer you want is an app, I can't help.

[tim777]

If the peer you want is an app, I can't help.

Yes, I need a connection via an App, for the time being because I need to have a remote access in order to configure later site-to-site, from another location. 

It is simply frustrating. The manual do not match at all to the GUI of the new Version! Neither for WireGuard, nor for OpenVPN. All tutorials on YT are for the older GUI. How can one release such a change without adjusting the manual??

I have tried with OpenVPN,
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

On the last step adding a SSL server, the created server certificate as per manual is not accepted because

"Certificate SSLVPN Server Certificate is not intended for server use."  >:(

[cookiemonster]

> Yes, I need a connection via an App, for the time being because I need to have a remote access in order to configure later site-to-site, from another location. 
An app is not magically going to be magically configuring OPN on the inside. IT's just a UI, a front end that is more appealing perhaps. In other words you must configure the tunnel somehow first, app or otherwise.
Perhaps you imagine a VPN tunnel as an equivalent to an RDP or VNC connection. It isn't. Instead it can only reach the networking elements that is configured to, not to -all- by default.
Perhaps this helps: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

[tim777]

An app is not magically going to be magically configuring OPN on the inside.

Sure, this is not my expectation. What I meant by "via app" was a client-server connection not a server-server, respectively site-to-site connection. Because I don't have the other server yet. If this will work, we will see.

Perhaps this helps: https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

I followed this steps already, like in the OPNsense manual. When scanning the QR code I get an error message. Both with the domain name and public IP address. So it is the setting that is wrong or bug or I don't know what. Maybe I made a mistake, but how to check when the manual do not match the new version of the software???
Unfortunately I can not see the whole message on the phone and it disappears after 2 seconds.

[cookiemonster]

wg has no concept of client-server, both are peers. It's the setup of each peer that creates the behaviour.
Are you able to use a computer/laptop instead of a phone? That way the generated configs can be more easily observed. Otherwise with phones, I don't have much of an idea.
I use android and can see the settings on the app for it, as well as on a laptop. However i didn't use QR codes at the time I set them up, sorry.

[tim777]

I'm aware about the peer concept, therefore I didn't use the term CS, but "by app" to make clear, that I don't want (can't) connect two FW/Router.

I can use a PC (Linux or Mac) via phone/hotspot to access the FW from outside.

I don't know what is easier, WG or OpenVPN.  Will probably do it with the Mac, since it easier to install and set up the apps.

The problem is, that I can't set up the OpenVPN server, even with following the manual.
This topic was read 400 times.

Is nobody out there who was able to connect to the new version?????

[cookiemonster]

well I got all confused now.
You can access the OPN firewall from the inside, right? And now want to setup a VPN so you can connect to "it" when away, correct?
The "it" is important here. Normally the VPN is used to connect to "it" to reach the network inside it, i.e. the LAN from the WAN. Connecting to the firewall itself, like for managing it, needs additional steps.
The links I shared although a little old should have the additional steps, which normally mean "allow all ips".
WG is easier than OpenVPN by the way.
Start by setting up the ddns please.