Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Configuring firewall and routing for a standalone wireguard server in LAN
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Configuring firewall and routing for a standalone wireguard server in LAN (Read 326 times)
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Configuring firewall and routing for a standalone wireguard server in LAN
«
on:
November 10, 2024, 08:25:50 am »
Hello!
For some reason I have to use a standalone Wireguard server located on a dedicated host in my LAN.
All the Wireguard peers should have access to all the LAN hosts and vice-versa.
I was able to set everything up in a NAT (Masquarade) mode, but I want all the peers to be "visible" and manageable by their Wireguard IPs inside the OPNsense. Thus I am trying to set up the Wireguard server without a NAT (Masquerading).
Unfortunately I can't figure out how to set up firewall and routing properly.
My network setup:
LAN: 172.17.17.0/24
DNS server: 172.17.17.2
Wireguard server: 172.17.17.8
Wireguard network: 172.17.21.0/24. The network itself is defined in the Wireguard config and does not exist as a VLAN or any other type of network in the OPNSense. This should be fine because Wireguard is a Level 3 protocol.
Steps I took:
Installed and configured a Wireguard server on 172.17.17.8; enabled both
net.ipv4.ip_forward=1
and
net.ipv4.conf.all.proxy_arp=1
options. Masquerading is turned off (or rather it is not turned on).
Configured a peer for the Wireguard server.
Created a Port Forward rule to forward incoming connections from
WAN
port to the Wireguard server port.
Created a
Pass
rule for the
WAN
interface to allow connections to the Wireguard port.
Created two firewall rules for the LAN to allow traffic in the Wireguard network. For more details - see attached screenshot. I believe the last rule is not required. If so I will delete it later.
The results are: I can connect to the Wireguard server, but I cannot access any host in the LAN or Internet.
If I try to
ping
on make
nslookup
any host using 172.17.17.2 I get messages that these requests are blocked (see screenshot #2) by the
Default deny rule
which I don't understand because I have defined the
Pass
rules to allow this kind of traffic.
I appreciate any help how to make this setup working. I believe some firewall rules and/or routes are missing, but I can't figure what exactly is wrong.
Logged
dseven
Sr. Member
Posts: 268
Karma: 28
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #1 on:
November 10, 2024, 09:14:33 am »
I think you have an asymmetric routing situation. Your log screenshot appears to be showing DNS *responses* from 172.17.17.2 (port 53) back to 172.17.21.2, which are trying to go via the firewall (because presumably that's the detault route / gateway on the DNS server), but the requests from the client (172.17.21.2) to the DNS server would not have passed through the firewall, because your wireguard server has a local address on 172.17.17.0/24. The firewall can't track this, because it's only seeing half of the conversation.
You might be able to hack around this with static routes, but it'd probably be better if you could place the wireshark server on a dedicated subnet, separate from LAN, so both directions will always pass through the firewall.
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #2 on:
November 10, 2024, 09:21:58 am »
Thank you very much for the suggestion!
I think I can do it. OPNSense is installed onto a VM so I can create another interface, assign a new network to it and move the Wireguard server into the new network.
A few questions about this setup:
Should I enable DHCP on the new network?
What firewall rules should I define?
What will happen in case of IP address conflict? I.e. the Wireguard server will create a Peer with an IP which already exist in the new network?
Logged
dseven
Sr. Member
Posts: 268
Karma: 28
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #3 on:
November 10, 2024, 09:26:12 am »
I would expect that wireguard would be managing address assignment, so no need for DHCP, and there wouldn't be any non-wireguard hosts on that network, so nothing to conflict with...?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1549
Karma: 172
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #4 on:
November 10, 2024, 09:28:10 am »
Just use the built in wireguard server of the OPNsense, it will cut down all complexity and fix all routing issues.
Logged
Hardware:
DEC740
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #5 on:
November 10, 2024, 09:31:58 am »
Except for the Wireguard server itself and the OPNSense, yes: there won't be any other non-Wireguard hosts in this network.
So technically there might be 1 interference: with the OPNsense. Because Wireguard doesn't know anything about it.
Regarding using a build in Wireguard server. I'd like to, but I can't: there is some specific software (like DPI or something) which should be running next to the Wireguard server.
Just to clarify: for now it is not installed and cannot interfere with the current setup.
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #6 on:
November 10, 2024, 09:47:32 am »
Hmm. But before creating a new network: what about a hack with routes? What routes should I add to test if it works?
Logged
dseven
Sr. Member
Posts: 268
Karma: 28
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #7 on:
November 10, 2024, 10:09:00 am »
You'd probably need a static route on the firewall for 172.17.21.0/24 pointing to the wireguard server (172.17.17.
. That won't fix access to the DNS server, though, unless maybe you create a firewall rule on your LAN interface to allow destination 172.17.21.0/24 with "State Type" (under "Advanced features") set to "sloppy state". I'm not sure if that'll work, but it might. You might also need a sloppy rule for the other direction. Alternatively you could also add a static route on the DNS server, but then you'd have to do that on any LAN how that you need to be accessible from wireguard clients.
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #8 on:
November 10, 2024, 10:22:03 am »
I got a little (partial) successes with the hack.
1. I have created a new Gateway in System -> Gateways -> Configuration pointing to 172.17.17.8 (Wireguard server)
2. I have created a new route in System -> Routes -> Configuration: to 172.17.21.0/24 via freshly created gateway.
3. In Firewall -> Settings -> Advanced I have enabled this option:
Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.
After that I now have access to all the LAN hosts from the Wireguard! Yay!
Unfortunately I don't have Internet access from the Wireguard. I have created an outbound NAT for 172.17.21.0/24, but it didn't help...
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #9 on:
November 10, 2024, 11:00:37 am »
Hmm.
I have added a new virtual network interface and created a new dedicated network: 172.17.18.0/24 with static IPs.
Created a Firewall rule to accept all from the new network in the Firewall -> Rules -> WG_IN_1 (new network name) section.
Moved the VPN server there: 172.17.18.2
Adjusted the Wireguard server IP to 172.17.18.254 and its Peer IP to 172.17.18.202 (inside wg0.conf)
Changed Port Forwarding from WAN to 172.17.18.254
Disabled previously created route and gateway
Unfortunately, it didn't work: I cannot access any hosts at all.
The same situation happens if I create a new gateway pointing to 172.17.18.254 and a route: to 172.17.18.0/24 via freshly created gateway.
The firewall is all green though: it shows connections, but no traffic flows...
«
Last Edit: November 10, 2024, 11:02:59 am by ThisUsernameHasBeenTaken
»
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #10 on:
November 10, 2024, 03:43:39 pm »
I got both the Internet and LAN working, but I have no idea why is this working.
I was experimenting with NAT rules and accidentally mistyped IP: 127.17.21.0/21 instead of 172.17.21.0/24 and... it worked.
If I disable the rule - I loose the Internet connection for the Wireguard clients. If I enable it, the connection is back.
I don't know why: this rule doesn't make sense to me. Can anybody explain it?
Logged
dseven
Sr. Member
Posts: 268
Karma: 28
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #11 on:
November 10, 2024, 03:49:34 pm »
I assume you mean 172.17, not 127.17...
172.17.21.0/21 would actually be 172.17.16.0/21, which encompasses 172.17.18.0/24. Is your wireguard server masquerading?
Edit: Scratch that - I just looked at the screenshot.
Looks like you have the source address inverted - why?
«
Last Edit: November 10, 2024, 03:52:01 pm by dseven
»
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #12 on:
November 10, 2024, 03:55:01 pm »
At first yes, I saw the typo: 127 instead of 172. Fixed it and the Internet gone... So I put it back - exactly as you can see on the screenshot and the Internet came back again.
That is why I am confused. It shouldn't work. It even makes no sense, but it works! And I don't know why.
No, my Wireguard server is not masquerading - that's the whole point of the setup.
Logged
dseven
Sr. Member
Posts: 268
Karma: 28
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #13 on:
November 10, 2024, 03:56:23 pm »
See my edited post above (you read the original one too quickly:)
Logged
ThisUsernameHasBeenTaken
Newbie
Posts: 12
Karma: 0
Re: Configuring firewall and routing for a standalone wireguard server in LAN
«
Reply #14 on:
November 10, 2024, 03:58:34 pm »
I was just experimenting with the rules: like just try everything one by one.
I cannot explain the logic behind this rule and it really confuses me.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Configuring firewall and routing for a standalone wireguard server in LAN