Wireguard in opnsense

[seitzbg]

With the addition of Wireguard clients to freebsd ports, is it possible to get this added to Opnsense?

TIA,

https://svnweb.freebsd.org/ports?view=revision&revision=470763
https://svnweb.freebsd.org/ports?view=revision&revision=470762

[franco]

This may provide a bit of context.... https://twitter.com/opnsense/status/999746722015469568


Cheers,
Franco

[JohnDoe]

Hello,

as the twitter post was nearly one month ago, I was wondering if there's already an ETA for the wireguard package?

Kind Regards,
JD

[mimugmail]

It's already there ...

pkg install wireguard

via CLI.

[JohnDoe]

Ah, thanks a lot for pointing that out!
Couldn't find anything on the forum search nor in any of the latest release notes...

Cheers,
JD

[franco]

Hi,

We don't do release notes for development changes. Wireguard is also still in alpha phase, so even if somebody writes a plugin it won't be in the release for as long as they say it shouldn't be used in production.

I also don't know what their ultimate time frame is.


Cheers,
Franco

[l0rdraiden]

Some news

https://www.phoronix.com/scan.php?page=news_item&px=Linus-Likes-WireGuard

[mimugmail]

Some more news:

https://github.com/opnsense/plugins/pull/779

[deddey]

how can i test it?

[mimugmail]

Via Console:

pkg install os-wireguard-devel
opnsense-patch -c plugins 202b7c9

Then you have Wireguard under VPN.

This guide will be released when the pkg is stable:
https://github.com/mimugmail/docs/blob/master/source/manual/how-tos/wireguard-s2s

[rantwolf]

Hey.
I just want to try this VPN but I have trouble during setup the tunnels.
Trying the docs from mimugmail.
Firewall rules are set on both WAN interfaces for the port 51820.
Firewall rules to allow all traffic in both directions on the interfaces for the test are enabled.

Site A:
Tunnel Address: 10.25.20.1/24

Code: [Select]

interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: <IP from Site B>:51820
  allowed ips: 192.168.116.0/24, 192.168.117.0/24
  latest handshake: 11 minutes, 37 seconds ago
  transfer: 240 B received, 43.31 KiB sent


Site B:
Tunnel Address: 192.168.116.1/24

Code: [Select]

interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: <IP from Site A>:51820
  allowed ips: 10.25.20.0/24
  latest handshake: 9 minutes, 8 seconds ago
  transfer: 29.53 KiB received, 2.59 KiB sent

PING test from Site A > Site B:

Code: [Select]

ping 192.168.116.10
PING 192.168.116.10 (192.168.116.10): 56 data bytes
^C
--- 192.168.116.10 ping statistics ---
334 packets transmitted, 0 packets received, 100.0% packet loss
Where is my problem?

[mimugmail]

I think you should have at least one tunnel network, where server is e.g. 10.12.12.1/24 and endpoint 10.12.12.2/24. the remote networks can be set in addition to route them

[rantwolf]

Hey.
I still have problems with testing wireguard.

I think the tunnel is up.
But no trafficflow > in the firewall logs: wg0 default deny rule
I'm confused. There is a new interface under assignments: wg0 with zero dotted MAC.

Is this right? What should I do with this interface?

[mimugmail]

Please dont assign it. Can you post screenshot of Server/Endpoints tab and firewall rules?

[rantwolf]

Hi.
Here are the screenshots:

Site-A:
https://ibb.co/kPWzv9
https://ibb.co/hizKv9
firewall-rules:
Interface: https://ibb.co/n1tONp
WAN: https://ibb.co/iKf3Np


Site-B:
https://ibb.co/jGrchp
https://ibb.co/kv76a9
firewall-rules:
Interface: https://ibb.co/nuxiNp
WAN: https://ibb.co/cAv3Np

If I ping from Site-B to Site-A
I get this in firewall-logs on Site-A:
https://ibb.co/fo1A2p