Wireguard in opnsense

[mimugmail]

Everyone saying it's easier never did it on it's own

[firewall]

Everyone saying it's easier never did it on it's own

i finally got it working but was disappointed to find it was half the speed of openvpn via mullvad.  i'll have to circle back to it later after further development.

[mimugmail]

Do you have correct MTU values? Perhaps you lower the MSS of LAN?
In my tests it was 5-10x faster, nearly IPSEC speed.

[firewall]

Do you have correct MTU values? Perhaps you lower the MSS of LAN?
In my tests it was 5-10x faster, nearly IPSEC speed.

No dice, unfortunately.  I just tried scaling back MSS 1450, 1400, 1350 and it only had negative impact.  Tried both the LAN and WG interfaces. 

For tuning purposes I was using "ping -D -s 1450 -S <local wg ip> <mullvad wg endpoint>" from opnsense shell to find ballpark MSS.  Let me know if you know of a better approach or know of a good MTU/MSS guide around these parts.

[mimugmail]

Whats your speed and Hardware?

[firewall]

Whats your speed and Hardware?

ISP is gigabit.

HW is Qotom-Q575G6-S05 (i7 7500U).

Direct connection (routed through OPN without VPN) yields ~700mb/s before OPN services kick in then it scales back to ~450mb/s.

OPN route through OpenVPN: 280 mb/s
OPN route through WG: 230 mb/s

[marr1977]

Just wanted to say that I managed to get things working with Mullvad without any trouble.

Ran
pkg install os-wireguard-devel
and then followed the guide at https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html.

My only comment on the guide is that the Mullvad Wireguard IP/port is not obvious from the server list at https://www.mullvad.net/en/servers/#wireguard. You can ping an host (e.g. au1-wireguard.mullvad.net) to get an IP. To get the port you can download a configuration file at https://mullvad.net/en/download/wireguard-config/ and in one of the files in the zip archive the host and port are listed for the server you chose.

Also, remember that Mullvad has discontinued free trial periods on new accounts.

[firewall]

Just wanted to say that I managed to get things working with Mullvad without any trouble.

What kind of speeds are you achieving relative to OVPN?  I tested all endpoints in NAM and they all came up short of OVPN throughput.

[ruggerio]

i have now 2 roadwarriors connecting to my opnsense. On it, it looks like this:

interface: wg0
  public key: wg0key=
  private key: (hidden)
  listening port: 51820

peer: client1key=
  endpoint: ip:13595
  allowed ips: 192.168.11.0/24
  latest handshake: 25 seconds ago
  transfer: 1011.63 KiB received, 4.03 MiB sent

peer: client2key=
  endpoint: otherip:63680
  allowed ips: (none)
  latest handshake: 1 minute, 9 seconds ago
  transfer: 0 B received, 3.03 KiB sent

why to heck do i get allowed ips (none)?

Client1 is working well, i copied the config from client2 and changed key and ip-adress, thats all.

wg0.conf on the sense looks like this:
[Interface]
Address = 192.168.11.1/24
ListenPort = 51820
PrivateKey = privatekey=
[Peer]
PublicKey = key=
AllowedIPs = 192.168.11.10/24
[Peer]
PublicKey = key=
AllowedIPs = 192.168.11.20/24

And a client-config looks like this:

[Interface]
PrivateKey = key=
Address = 192.168.11.20/24
DNS = 192.168.1.1

[Peer]
PublicKey = key=
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.mydomain.com:51820

...i don't get it, why i can connect just with one client...


What WAS wrong:
in opnsense GUI use the allowed IP's with Netmask 32, not 24, as it should not overleap. I changed to 192.168.11.10/32 and 192.168.11.20/32 - works.

Devil is in detail...

[ruggerio]

Before i forget:

it would be great, to create an autorule in NAT for outbound connections. For the moment, i have it in hybrid mode, which would be unnecessary, if it would be there, when the services were activated.

[mimugmail]

I dont like auto rules as they tend to break complex setups, sorry.

[ruggerio]

That might be. I wouldn't do that also not by default, but as it is in Proxy, giving the option to let it be done. So it's the decision of the user.

In each case, it would it make much easier for SOHO-Users, which are not that experienced.

[ruggerio]

Congrats to today's golive as 1.0 in 19.7.

Roger

[rth]

Is there a migration from the package to the plugin? Don't want to just pull the trigger and break it...

[mimugmail]

Nope, sorry