Wireguard in opnsense

abalsam · September 09, 2018, 08:05:14 PM

stopping wireguard
wg-quick: `wg0' is not a WireGuard interface
ifconfig: interface wg0 does not exist
starting wireguard

wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W G
W This is alpha software. It will very likely not G
W do what it is supposed to do, and things may go G
W horribly wrong. You have been warned. Proceed G
W at your own risk. G
W G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/09/09 14:03:29 Starting wireguard-go version 0.0.20180613
wg setconf wg0 /tmp/tmp.AOoRwC3Z/sh-np.17Is8r
ifconfig wg0 inet 10.10.16.138/19 10.10.16.138 alias
ifconfig wg0 mtu 1420
ifconfig wg0 up
route -q -n add -inet 0.0.0.0/1 -interface wg0
route -q -n add -inet 128.0.0.0/1 -interface wg0
route -q -n add -inet 193.180.164.58 -gateway 192.168.1.1
Backgrounding route monitor

and ifconfig output:

wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
   options=80000<LINKSTATE>
   inet 10.10.16.138 --> 10.10.16.138 netmask 0xffffe000
   inet6 fe80::a00:27ff:fe75:c4f1%wg0 prefixlen 64 scopeid 0x6
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun wg
   Opened by PID 59450

mimugmail · September 09, 2018, 09:53:59 PM

Are you sure you've manually imported the private key? With AzireVPN you have to use the private key they sent you.

abalsam · September 09, 2018, 11:24:17 PM

I did a copy/paste from the configuration file they sent me yes.

abalsam · September 14, 2018, 04:41:58 AM

I found and reviewed the wg0.conf file on my opnsense box with the azire conf file I downloaded. The only differences are:
No DNS field on OPNSense (not in the plugin)
Server listening port configured.

I suspect that the issue is that when I start the wireguard service locally because of the listening port opnsense is listening for an incoming connection from Azire. When I tried to remove the listening port, the plugin gave me an error. I can send you a copy of my wg0.conf and downloaded conf from azire (with keys removed) if you feel that would be useful.

Thanks

mimugmail · September 14, 2018, 08:15:06 AM

There were my settings:

https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/

The only thing which could break things is when you have another PIA or OpenVPN based service also pushing you Default gateway.

When you insert the private key they sent you and the Tunnel Address there can't be something wrong.

abalsam · September 14, 2018, 01:39:51 PM

Thank you. My next step is to turn on packet capturing on my test opnsense box and its gateway to see what is happening. I will keep you posted.

mimugmail · September 16, 2018, 07:26:58 AM

I just tried my AzireVPN tunnel from last week and it didn't work.
After some tests I switched to a different server (from SW to ES) and now it works.

Perhaps you just have to switch the server to a different location?

MrB · September 20, 2018, 10:23:41 PM

Updated to 18.7.3 and had a new go at getting Wireguard up 'n running with Mullvad VPN and I am glad to report that now it's working :)

To my knowledge I didn't do anything differently, so probably just a typo or something I made initially (deleted config, fw rules, gateway etc. before giving it a new go).

Anyway, works like a charm so many thanks for all the hard work.

mimugmail · September 21, 2018, 09:15:28 AM

Thanks for reporting back. Guys at Mullad gave me a test account .. I'll add a guide to the official documentation soon when other things are pulled.

ruggerio · October 16, 2018, 01:17:59 PM

i give it a try too, will do roadwarrior c2s-config for Windows, Linux and Android, if this is still needed.

mimugmail · October 16, 2018, 01:41:02 PM

You can try, but WireGuard port itself is a bit broken, when restarting the service the interface hangs. So ATM it only works after a reboot and you dont have to touch the config.

Still waiting for a fix ...

ruggerio · October 16, 2018, 03:22:45 PM

ouch....service restart is not enough? I got it somehow working on android, but usually a roadwarrior should get an ip from the server. With the actual config, it means, that each client has to have his unique combo Key/IP placed in Wireguard?

In some documentation i found, that you should not enter a public ip on the peer side, you only need the tunnel-adress (which means the client-IP in that case?

mimugmail · October 16, 2018, 04:31:15 PM

These are my writeups:

https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

And:

https://github.com/opnsense/docs/pull/49/files
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/wireguard-client.rst
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/wireguard-s2s

ruggerio · October 17, 2018, 08:26:49 AM

Hi,

I was using the manual from you :)

You mentionned the outgoing NAT-Rule, which is correct. What i mean is missing is an incoming rule in your example on the WAN for Port 51820/UDP

It's been working fine with that, got it running on Android using the Wireguard-Client from Play Store. What if find a little bit painful:

1) is it really necessary to create an endpoint-entry for each connecting client?
--> not necessary!
2) i was trying to set no ip on the client-endpoint side of the opnsense, but you need to have one on the android-side, otherwise i got rejected.
--> If just setting tunnel ips on server and endpoint, you can use any ip in the ip-range of the tunnel-network

it seems, that wireguard is still under heavy development. What i feel is missing (or i even did not see it):

1) using DHCP for the internal network, so you don't have to issue an ip for each client and set one endpoint on the opnsense for all clients

2) an option to connect via user-credentials e.g. using radius or ldap in combination with the keys.

otherwise, it would be a relative "easy" setup. What i also saw, the Android-Client show connected, even if its not connected. The handshake-Tab showing the actual connections would be very helpful.
--> they are shown by tunnel, but not by connected client.

btw. i got back to production, letting the plugin on it. But this crashed my Firewall-Alias-Table *shudder*. My kids haven't been glad about that :)

mimugmail · October 17, 2018, 10:52:30 AM

Quote from: ruggerio on October 17, 2018, 08:26:49 AM
1) is it really necessary to create an endpoint-entry for each connecting client?
--> not necessary!

Necessary, otherwise all would have same keys ..

Quote from: ruggerio on October 17, 2018, 08:26:49 AM
1) using DHCP for the internal network, so you don't have to issue an ip for each client and set one endpoint on the opnsense for all clients

That's not the way it works ..

Quote from: ruggerio on October 17, 2018, 08:26:49 AM
2) an option to connect via user-credentials e.g. using radius or ldap in combination with the keys.

Nope, will not come .. then it would just be a clone of OpenVPN :)

Quote from: ruggerio on October 17, 2018, 08:26:49 AM
otherwise, it would be a relative "easy" setup. What i also saw, the Android-Client show connected, even if its not connected. The handshake-Tab showing the actual connections would be very helpful.
--> they are shown by tunnel, but not by connected client.

Most problematic with setup is exchanging keys, esp. on Android.

Wireguard in opnsense

abalsam

September 09, 2018, 08:05:14 PM #45

mimugmail

September 09, 2018, 09:53:59 PM #46

abalsam

September 09, 2018, 11:24:17 PM #47

abalsam

September 14, 2018, 04:41:58 AM #48

mimugmail

September 14, 2018, 08:15:06 AM #49

abalsam

September 14, 2018, 01:39:51 PM #50

mimugmail

September 16, 2018, 07:26:58 AM #51

MrB

September 20, 2018, 10:23:41 PM #52

mimugmail

September 21, 2018, 09:15:28 AM #53

ruggerio

October 16, 2018, 01:17:59 PM #54

mimugmail

October 16, 2018, 01:41:02 PM #55

ruggerio

October 16, 2018, 03:22:45 PM #56

mimugmail

October 16, 2018, 04:31:15 PM #57

ruggerio

October 17, 2018, 08:26:49 AM #58 Last Edit: October 17, 2018, 10:44:10 AM by ruggerio

mimugmail

October 17, 2018, 10:52:30 AM #59