Wireguard in opnsense

[csmall]

My theme was preventing me from seeing the Wireguard interface in Firewall rules. Switching back to the default theme made it visible.

[mimugmail]

AzireVPN Guide:

https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/

[abalsam]

I read through the howto and it references the wireguard 0.3 plugin.  However, when I checked the version installed with pkg I see I am 0.1.  Do you know when 0.3 will be available through pkg?

Thanks

[mimugmail]

When 18.7.2 is released, around Thursday

[chadwickthecrab]

@mimugmail should I stop trying to get 0.1 to work? I can't figure it out and was wondering if it's a bug that will be fixed. I can ping the client from the server but not the other way around. The client is also not routing out to the internet. Afaik I have the firewall rules figured out yet the logs show DNS requests are being blocked by the default rule. I'd love a quick road warrior guide vs the S2S config.

[mimugmail]

Do you host WireGuard on your OPNsense and want to route your Android in your LAN, but not VPN as default gateway, right?

[chadwickthecrab]

Do you host WireGuard on your OPNsense and want to route your Android in your LAN, but not VPN as default gateway, right?

I think so. My OPNsense box is 192.168.1.1 with all local machines on this same subnet, the tunnel address is 192.168.100.1 listening on 51820, and my phone is 192.168.100.2. I want to be able to access everything on the 192.168.1.0 network as well as get out to the internet through my home internet connection to bypass my mobile ISP (don't want split tunneling). I'm not sure what other addresses I should have added to the settings to enable this routing so I put 192.168.100.1/24 in the WireGuard tunnel address. In the endpoints I have my phone's public key and 192.168.100.2/24,192.168.1.0/24 as the addresses. On the phone's interface settings I have 192.168.100.2/24, 192.168.1.0/24. In the peer I have allowed IPs 0.0.0.0/0, ::/0. In my OPNsense NAT port forwarding I allowed any source to WAN Address on port 51820 to forward to 192.168.100.1. In my firewall rules on the WireGuard interface I put a rule to allow everything (necessary?). Do I need a rule on the LAN interface?

Right now I can't ping to or from the phone when connected but my firewall logs show everything on wg0 being blocked (ports 53, 443, etc) by the default deny rule. From the OPNsense shell I ran tcpdump -i wg0 and could see activity from my phone's 192.168.100.2 address so I'm thinking I just screwed up or omitted something from my firewall rules since it's showing up in the log as blocked. Would my WAN interface having "block private networks" enabled affect anything?

[mimugmail]

Best is to way until tomorrow, then you'll get 0.3 with 18.7.2.
In principle it's the same setup as https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/ but you have to use your own keys.

[chadwickthecrab]

Best is to way until tomorrow, then you'll get 0.3 with 18.7.2.
In principle it's the same setup as https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/ but you have to use your own keys.

In that link it says to create an interface bound to wg0 but disable it and lock it. Should I do that?

[mimugmail]

No .. this is experimental .. a NAT on WireGuard group interface and translated address the tunnel address should be fine too

[chadwickthecrab]

No .. this is experimental .. a NAT on WireGuard group interface and translated address the tunnel address should be fine too

Ok I'll wait until 0.3 if my settings look good to you I'll rule user-error out. Thanks for the help and work you are doing!

[mimugmail]

OPNsense as central breakout for Wireguard:

https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

[abalsam]

I tried to set up azire VPN using 0.3 of the wireguard plugin.  the service starts and the tunnel address is assigned (not a single IP address) so I have nothing to ping and no traffic to monitor.  What would you advise for next steps?

Thanks

[abalsam]

Also, while the wireguard service was running the server tried to send all traffic through the wireguard tunnel (which did not have valid IP addresses set up).  This forced me to stop the service while I conduct more research.

[mimugmail]

Can you try via console:

/usr/local/etc/rc.d/opnsense-wireguard restart


And post the output?