Wireguard in opnsense

Started by seitzbg, May 24, 2018, 07:54:08 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 ... 10
User actions
August 29, 2018, 06:40:59 AM #15
Have you applied the single patch after installing the plugin?
It looks good, no idea why the packets get blocked ...
August 30, 2018, 11:32:42 PM #16
Yes, patch is applied.
August 31, 2018, 02:59:10 PM #17
Hm, I can only offer to have a look via Teamviewer since WireGuard is very new technology I'm not very experienced with it.
September 03, 2018, 12:07:27 AM #18
Took a stab at testing this tonight with somewhat mixed results, it looks like I get the tunnel up but can't get to the outside from LAN

My normal setup is a OpenVPN (client) connection to a VPN provider and all LAN traffic is routed through this (Outbound NAT rules). So I disabled the OpenVPN client & outbound NAT rules and added Google's DNS server instead of the VPN provider one. Also tested that everything still works at this point.

Installed Wireguard & the patch and proceeded with the Server/Endpoint setup -> Enable. I'm guessing this is the point when wg0.conf is created in /usr/local/etc/wireguard. I can generate a config file with the needed keypairs on the VPN providers website so went ahead and did that. Tested that the config works on my laptop before I copied the contents and pasted them into the .conf file. 

Code Select

[Interface]
PrivateKey = ########################################
Address = ip-supplied-by-vpn-provider/32,aaaa:bbbb:cccc:dddd::1234/128
DNS = vpn-provider-dns-address

[Peer]
PublicKey = ########################################
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = vpn-providers-server:51820


Added a firewall rule for port 51820 and restarted the Wireguard service, the interface came up and saw some outbound packets on the wg0 interface as well so I assume the tunnel is working, but couldn't reach any sites from the LAN side. Ping requests and trace routes all time out, ie. stop at the OPNsense box, but looking at the firewall log live view nothing is blocked. From what I read AllowedIPs = 0.0.0.0/0,::0/0 should allow any address, also tried with my local subnet but the result was the same.

In a desperate attempt to get it working I tried assigning wg0 to a new interface (although I read on the previous page it shouldn't be done) and replicated the outging NAT rules from my OpenVPN setup, but alas to no avail.

Any pointers what I should be looking at next in order to get it working?
September 03, 2018, 10:19:24 AM #19
I havent tested default route via WireGuad yet, I'll try to reproduce.
Assigning tun interfaces is a bit complicated but there is some progress in core right now.
September 03, 2018, 12:52:57 PM #20 Last Edit: September 03, 2018, 01:11:10 PM by nfugal
I'm trying to test out WireGuard too.

I can't seem to get my setup to generate the keys. After saving I still get the results in the attached screenshot.

Any ideas what I'm missing?
September 03, 2018, 01:51:17 PM #21
Can you delete the instance and create a new one? This shouldn't happen at all ..
September 03, 2018, 02:03:47 PM #22
I've tried delete and recreate several times with no success.

Are there any logs or anything that might help?
September 03, 2018, 02:14:18 PM #23
Via console

clog /var/log/system.log
clog /var/log/configd.log


You can also PM me and I'll have a short look via Teamviewer
September 03, 2018, 02:32:49 PM #24
Uhm .. you are the guy with the broken configd daemon? I think your system has some more bigger problems and that's why it doesn't work
September 03, 2018, 02:38:22 PM #25
I am indeed that guy.

Getting the configd service to work seems to have fixed the WireGuard issue. I am getting keys generated just fine now.
September 03, 2018, 03:03:31 PM #26
Quote from: rantwolf on August 29, 2018, 12:13:22 AM
Hi.
Here are the screenshots:

Site-A:
https://ibb.co/kPWzv9
https://ibb.co/hizKv9
firewall-rules:
Interface: https://ibb.co/n1tONp
WAN: https://ibb.co/iKf3Np


Site-B:
https://ibb.co/jGrchp
https://ibb.co/kv76a9
firewall-rules:
Interface: https://ibb.co/nuxiNp
WAN: https://ibb.co/cAv3Np

If I ping from Site-B to Site-A
I get this in firewall-logs on Site-A:
https://ibb.co/fo1A2p

Ok, found the error, try to fix it the next days.
September 03, 2018, 09:12:30 PM #27
On Thursday hopefully we got also 0.3 devel where everything is fixed, also pushing default gateway via WireGuard works pretty fine.
September 03, 2018, 11:17:26 PM #28
Sounds great as I am also having issues connecting to the wireguard.com test connection and the azirev configurations.  Also, please update the howto to include instructions on how to connect to VPN servers/providers.

Thanks
September 04, 2018, 02:43:59 AM #29
I have a connection to the Wireguard instance from Android.

No traffic is flowing and I also do not see a new interface in firewall rules for wireguard.

How can I get the traffic to flow and allow for access to my LAN over wireguard?
Print
Go Up Pages 1 2 3 4 ... 10
User actions