Remote Access to OPNSense 24.7_9

[tim777]

well I got all confused now.
You can access the OPN firewall from the inside, right? And now want to setup a VPN so you can connect to "it" when away, correct?

Exactly! (was my post so confusing?)

The "it" is important here. Normally the VPN is used to connect to "it" to reach the network inside it, i.e. the LAN from the WAN. Connecting to the firewall itself, like for managing it, needs additional steps.
The links I shared although a little old should have the additional steps, which normally mean "allow all ips".
WG is easier than OpenVPN by the way.

I followed the (awful) tutorials and set up both OpenVPN and WG in the FW again.

OpenVPN

a) with OpenVPN Connect on Android device:

Error Message: "Select Certificate. This profile does not include certificate. Continue with connecting without a certificate or select one from Android keychain?"

Attached the config file that I have exported from the FW and imported to the Client on the phone. Note, I have added <ca></ca> manually, since it was not there and in the config to thje Vilfo Router, that works these are there. I didn't work without either.

b) With Tunnelblick App on Mac
pls see log file attached.

Wireguard from Mac with the Wireguard App

followed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
but at Step 6, surprize!

Client configuration is largely beyond the scope of this how-to since there is such a wide array of possible targets (and corresponding configuration methods)

You don't say.
Ok, keep calm I thought, and continued with:
https://wireguard.how/client/macos/

It starts with:

In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.

OK, clicked on https://wireguard.how/server/

But there is no guide for Mac there! Really? This is just a big b***hit.

But even going forward with the client config

Code Select Expand

sudo wg show wg0

Code Select Expand

command not found: wg

I wanted to install the tools (found that on the I-net) with

Code Select Expand

sudo install wireguard-tools

Didn't work.

Code Select Expand

usage: install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 file2
       install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 ... fileN directory
       install -d [-v] [-g group] [-m mode] [-o owner] directory ...

Start by setting up the ddns please.

I guess, it is done. For now I'll try it with the public IP, if that works I will look to ddns again. According to my I-Net provider they are managing the binding to the IP, so nothing is required. Let's see this later.

What next?

What I don't understad with WG is Do I need a Server and a Peer on both sides FW and MAC (or other OS)?

WG is easier than OpenVPN by the way.

....

So far, I would't use the word easy for neither of them  :-\

[cookiemonster]

I can't help with MacOS for the moment.
Let's stick with WG.
At step 6 you use wg-tools on your MacOS. Are you able to get here? Are you able to stay on IPV4 only?
If yes, we just need to let you know which keys go where. Because of their shared names "public key", "private key", it might make it unclear which one goes where.

[Patrick M. Hausen]

It starts with:

In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.

OK, clicked on https://wireguard.how/server/

But there is no guide for Mac there! Really? This is just a big b***hit.

Of course you need to have a working WG server running - on your OPNsense! - to use the app for the Mac. Nowhere does this statement imply you need a server for the Mac.

[tim777]

Of course you need to have a working WG server running - on your OPNsense! - to use the app for the Mac. Nowhere does this statement imply you need a server for the Mac.

That's what I  thought too. Meanwhile nothing is sure to me, if it is not explicitly mentioned in the manual, after such experiences.
Also I have no experience with WG at all.

Thanks, I  will try again,

but ....

I can't help with MacOS for the moment.
Let's stick with WG.
At step 6 you use wg-tools on your MacOS. Are you able to get here? Are you able to stay on IPV4 only?
If yes, we just need to let you know which keys go where. Because of their shared names "public key", "private key", it might make it unclear which one goes where.

No, I'm not able to install wg-tools, as described  in the messages above.
Since this is a business administrated Mac (but I'm local admin), I don't know if I can disable IP6, but afaik we are on IP4.

[Patrick M. Hausen]

WireGuard for MacOS is on the App Store:

https://www.wireguard.com/install/

[tim777]

WireGuard for MacOS is on the App Store:

https://www.wireguard.com/install/

What do you thing I have been doing all the time  ;)?

See first post on this page:

Wireguard from Mac with the Wireguard App

followed this tutorial first:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
but at Step 6, surprize....

I have manually configured the WG connection in the app like suggested in the manual as a common config. See attached image.

But I can not get a connection neither to the OPNsense FW nor to any device on the LAN, when WG connection activated (Mac connected to the internet via mobile phone hotspot). There is a green light with the connection. 

Interesting that I can not connect the internet neither!

So, what I think is, that the connection is actually established, but some configs in the FW are not ok??

[Patrick M. Hausen]

On OPNsense,

- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?
- do you have a firewall rule on the "WireGuard" interface group (or an assigned interface if you did that) with "allow * *"?

[tim777]

On OPNsense,

- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?

Nope, because there is nothing about in the manual. Only UDP to 1194 and 1412.

- do you have a firewall rule on the "WireGuard" interface group (or an assigned interface if you did that) with "allow * *"?

yes,  I have a dedicated interface with a rule that allows all IP4 traffic. see screenshot.

[Patrick M. Hausen]

On OPNsense,

- do you have a firewall rule on WAN permitting 51820/UDP to "WAN address"?

Nope, because there is nothing about in the manual. Only UDP to 1194 and 1412.

1194 is OpenVPN. If your WG client should be able to contact the WG server, you need to permit that traffic. By default everything coming towards your OPNsense from outside on WAN is denied. So you need that rule.

Source: any/*
Destination: WAN address
Destination port: 51820
Protocol: UDP
Action: allow

HTH,
Patrick

[tim777]

Source: any/*
Destination: WAN address
Destination port: 51820
Protocol: UDP
Action: allow

HTH,
Patrick

OK, that was a mistake, instead of 51820 I have copied the (MTU) 1412 as  destination port. Changed but still no access. When I connect, the app shows me that the interface is listening to 58240. I'm not sure if I noticed this befor changing the FW rule. Means, the INstanmce from the WG App is listening to 58240, right? 

The main question remains, how  I have configured the client ( see attached image before).


Thanks you so far!

[Patrick M. Hausen]

The firewall rule destination port must match the local port of the WG instance on OPNsense. The Mac side is covered by the "any" in the source address and port.

[tim777]

That's correct now, but still does not work

[Patrick M. Hausen]

Does the OPNsense dashboard widget show an active handshake for the peer?

If not, please post the entire OPNsense side of the configuration minus private keys.

[tim777]

I didn't see anything like this in the dashboard. I have added the Wireguard widget but there is a flat line, so I guess no handshake?
Did you maybe mean something else in the dashboard?   

[Patrick M. Hausen]

I mean what is shown if a WG connection is successfully established. See screen shot. So your Mac is not (yet) connected at all. Something seems to be wrong on the OPNsense side, still.

Please post your firewall rule on WAN that should permit the WG traffic and all WG configuration on OPNsense with erased private keys.