Wireguard in opnsense

[guest15389]

So there isn't a setting like in OpenVPN to push a DNS server? The way I read that as it was for that but your reply makes it seem like not the case. I didn't infer from the description it would overwrite my system DNS but be interface specific like the OpenVPN client setting.

So I flipped that out of my config and just left the DNS in the client side config and everything is working perfectly at this point. Appreciate that as it was just causing some goofiness in terms of updating plugins and such as my DNS was pointing to that IP instead.

[mimugmail]

Wireguard works on system Level, it adds real IPs to Interfaces and changes also system DNS. Thats why the Code ist so small :) (with it's downsides)

[white_rabbit]

Hi. I didn't read the whole thread ... so don't know if it's already listed here.
I tried to create two wireguard endpoints. The first one with 100.64.0.10/24 works but the second one with 100.64.0.11/24 only works when I choose the pub/priv keys of the first endpoint.
Moreover: When I clicked the "Save" button in the webUI the whole OPNSense VM crashed and rebooted. The warning "alpha software" is clear ... but is this already a known issue?
Thanks.

[guest15389]

You should read more of the thread for your answer. :)

[mimugmail]

19.1.7 scheduled for tomorrow will include a fix which will Stop crashing the system ...

[franco]

A workaround in the wireguard code anyway. ;)

[Dark-Sider]

Hey guys,

thanks for bringing wireguard to opnsense! Maybe my question will become obsolete since a fix that should stop crashing is apparently on its way:

Is the crashing only related to configuration tasks while setting up the tunnels / config or is the whole setup unstable while in use?

regards,

Darky

[franco]

Hi Darky,

The bugs relate to two classes of FreeBSD kernel bugs that are prone to race conditions during interface reconfiguration which will throw a system panic.

Once the interfaces are successfully configured the tunnel is stable as far as I know.


Cheers,
Franco

[theq86]

Hello,

First, thanks for the work and effort of providing a wireguard plugin for OPNsense.

While testing it I stumbled upon a scenario which caused the vpn tunnel not to work. It may be a rare case, I don't know.

Code Select Expand


-----------------           -------------------
| OPNsense Home | --------- | OPNsense Remote |
|---------------|           |-----------------|
| - dynamic IP  |           | - fixed IP      |
| - dual stack  |           | - dual stack    |
-----------------           -------------------

- OPNsense Home has dynamic dns domain with both A and AAAA records
- Remote Endpoint in OPNsense Remote is set to that above domain
- Both senses prefer IPv6 in general
- The transfer network and the networks to route are IPv4 networks


OPNsense Remote will query the domain, get the AAAA record and connect via IPv6.

But what, if I want to connect via IPv4 only, although IPv6 is available?
A checkbox that asks which protocol to use for the outer connection would be great.

[mimugmail]

On OPN with static IP I wouldn't configure an endpoint IP (0.0.0.0) and on OPN home use the v4 address as endpoint.

[theq86]

But that would mean, after some reconnect, the dynamic site must send some initial packages before connection is working on both sides.

[mimugmail]

And what exactly would you do?

[theq86]

Well, after thinking about it, everything is fine as it is.

I just thought about what would solve my "issue" the easiest way without taking into consideration if it is a reasonable solution.

As it turned out, I was also missing an allow rule for my wireguard port on OPNsense Home for IPv6. There is no real problem having the outer hosts connected via v6 and tunneling v4.

[mimugmail]

Good to hear, less work for me :)

[firewall]

I keep reading that wireguard is "so much easier to setup than openvpn"...yet I honestly don't think I've spent more time trying to get something working in opnsense longer than I've spent with this.  Still not working!  ::)