AmneziaWG on OPNsense and routing

[phprus]

Hello!

I'm installing AmneziaWG on OPNsense.

I've compiled the AmneziaWG packages for OPNsense:

https://www.freshports.org/net/amnezia-tools/
https://www.freshports.org/net/amnezia-kmod/
https://www.freshports.org/net/amneziawg-go/

With some modifications, I've compiled a plugin package:
https://github.com/antspopov/opnsense_amnezia_plugin

I plan to create a PR for this in opnsense/plugins in the future.

I'm currently experiencing a routing issue.
If the VPN server doesn't provide the gateway IP (meaning we only know the IP on the interface), then the standard routing mechanism of adding routes and/or setting the gateway in firewall rules stops working.

I decided to try using a second routing table.

I set net.fibs=2, configured AmneziaWG to use routing table 1, and got the following routes:

Code Select Expand

# netstat -rn -F 1
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0

Internet6:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0


To test, I configured the LAN interface to use fib 1:

Code Select Expand

ifconfig em1 fib 1

All LAN traffic is correctly routed through the tunnel.

Next, I tried to replicate this using pf, manually adding a rule immediately after "# [prio: 1]":

Code Select Expand

pass in log on em1 inet from {(em1:network)} to $to_awg no state rtable 1

I loaded all the rules into pf, but the new rule didn't work. Traffic isn't being redirected. I don't see the captured packets in the log. I can't figure out what the problem is.

pf sees the following rule:

Code Select Expand

# pfctl -s rules | grep rtable
pass in log on em1 inet from (em1:network) to <to_awg> no state rtable 1

Please tell me how to use pf to capture traffic based on the "to $to_awg" condition so that it sets rtable to 1. I want to capture both LAN traffic and OPNsense process traffic, such as Unbound.

[franco]

> With some modifications, I've compiled a plugin package:
> https://github.com/antspopov/opnsense_amnezia_plugin

I applaud your efforts but I think we have enough WG implementations in the plugin system now.


Cheers,
Franco

[ftani]

It is simply perfect that you are working on AmneziaWG on OPNsense, currently I'm using this VPN protocol through desktop apps and since I have to connect a few devices at a time, it is only logical to seek to install it in the Firewall. :)

I'm looking very forward to your news about it.

[RamSense]

+1 i'm curious about the developments also. This is very useful when using an open wifi, e.g. at the airport, and not being able to use a vpn on it to securely connect to your home devices, email etc. 

[unholy_saint]

AmneziaWG protocol support is not just yet another WireGguard plugin implementation. While originally based on WireGuard, Amnezia is modified to be very resistant to the centralized DPI filtering efforts in countries like Russia. This however makes it even more valuable for people, who live in the DPI wild west of EU, where there are just to many countries with to many authorities that currently play with Internet censorship where and as they manage, while also being responsible for maintaining the official stance that "no such thing exists in The Civilized World". This results in total anarchy and constantly increasing amount of random hits on various types of traffic, including wireguard VPN's.
My job is related to a vast network of WG interconnections in many EU countries. It started to experience random DPI hits around 12.2025 and things are only getting worse since, with at least 1 hit per 2 days in March. Blocking generally targets specific protocol/port combination between specific IP's, although some filters seem to be adaptive and detect port changes very fast. Usually blocking lasts few hours to few days, but several IP/UDP port combinations remain blocked for months now.
Seeking support from ISP or hosting is usually meaningless in this situation, as they are not in position to do anything, while managing to find the authority, responsible for each specific misbehaving filter you hit... They are sure to employ thousands of professionals in proving that you are extremist per each subcontracted tech that can actually solve the issue. And it won't be a hard job, as stating that you have issue with Something that does not exist^tm is the exact type of extremism they are responsible to counter.
So switching from plain WG to AmneziaWG 2.0 with QUIC or DNS obfuscation right now seems to be the best solution for someone in EU, even if AWG is much less mobile device friendly. And for Opnsense AWG support is something that should not simply be discarded as useless double of WG, especially by somebody who actually lives in EU.

[nero355]

especially by somebody who actually lives in EU.

Europe area in general or one of the countries that are part of the European Union ?!

[unholy_saint]

especially by somebody who actually lives in EU.

Europe area in general or one of the countries that are part of the European Union ?!

EU as composite of multiple countries and local authorities over a complex network infrastructure. Most issues I've seen were not clearly traceable although usually there is specific exchange or mobile operator that can be suspected to be most the likely place to block traffic. Unfortunately the only one i can clearly confirm is a DPI platform that was tested for several weeks in the Bulgarian BIX exchange. Also due to how the VPN structure i work with is spread my impressions are related mostly to eastern, central and southern Europe. Also we had to drop VPS in France because of to many blocking hits. It was before i started to migrate to Amnezia.

This is not WireGuard related only, VPN issues are something new, while random web site blocking (can speak mostly of Bulgaria here) started more than year ago. However until now never seen EU originated blocking (dnssec hijacking is clearly US originated) that i can explain logically (based on politics, legal reasons, etc.) and in most cases blocking live is just to short to be of practical use. This is why it leaves an impression of somehow discreet live tests instead of actual censorship, but this does not make it less obstructive when it hits your current work.

BTW: My impressions of Amnezia are great, not even a single randomly blocked destination for two months since first migration.

[OPNenthu]

@unholy_saint: It's refreshing to find a networking professional supportive of user-centric and privacy enhancing technologies, even if they are needed for your business case.

I think sometimes admins get into a mindset of needing to insepct/filter/block everything, always.  It also leads to a kind of God complex in the wrong type of person (personality disorders exist).  I recently was listening to a radio interview of a landlord who admits to spying on his tenants via the WiFi he provides and when pressed on it, his justification was that 1) he sometimes discovers illegal activity, and 2) IT people do it all the time.

While corporations have an operational necessity to keep their networks secure, it's important that we don't bring that mindset back with us in our private lives.  Breaking the cryptographic chain of trust for users, for example, is not to be done lightly or promoted as a correct thing to do.  It's insidious.

More people have to say this, IMO.

[franco]

As mentioned in the tools PR we've always supported such technologies in the past.

I'll be honest here what I find odd about it:

Some of these replies and tickets sound like AI and/or a concerted effort to push the solution into OPNsense and I don't find myself appreciating that approach. The situation we find ourselves in is unlike any other solution we've integrated since.


Cheers,
Franco

[nero355]

I'll be honest here what I find odd about it:

Some of these replies and tickets sound like AI and/or a concerted effort to push the solution into OPNsense and I don't find myself appreciating that approach.

I agree and that was pretty much the first thing that I thought : Where does all of this suddenly come from ?! Some Reddit/YouTube hype ?!

The situation we find ourselves in is unlike any other solution we've integrated since.

In the end OPNsense is your product and IMHO you should do with it whatever you think is best!

A lot of VPN solutions can always be hosted behind the Router/Firewall if the software used does not support it out of the box, so it's not a big deal to not have it :)

[unholy_saint]

Sorry, can't prove I'm not a camel.

The reason that makes me somehow pushy is that Opnsense VPS-es with WireGuard are already used for regional hubs, the problem is real and has lately become extremely annoying. I have to keep everything somehow working but using third party plugin has it's problems. Meanwhile as tech i lack the influence to make them buy licenses for Opnsense, as they know it can be used for free and thus have no leverage to request AmneziaWG support.