Wireguard in opnsense

[abalsam]

stopping wireguard
wg-quick: `wg0' is not a WireGuard interface
ifconfig: interface wg0 does not exist
starting wireguard

• wireguard-go wg0

WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W                                                     G
W   This is alpha software. It will very likely not   G
W   do what it is supposed to do, and things may go   G
W   horribly wrong. You have been warned. Proceed     G
W   at your own risk.                                 G
W                                                     G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2018/09/09 14:03:29 Starting wireguard-go version 0.0.20180613

• wg setconf wg0 /tmp/tmp.AOoRwC3Z/sh-np.17Is8r
• ifconfig wg0 inet 10.10.16.138/19 10.10.16.138 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 0.0.0.0/1 -interface wg0
• route -q -n add -inet 128.0.0.0/1 -interface wg0
• route -q -n add -inet 193.180.164.58 -gateway 192.168.1.1
• Backgrounding route monitor

and ifconfig output:

wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
   options=80000<LINKSTATE>
   inet 10.10.16.138 --> 10.10.16.138  netmask 0xffffe000
   inet6 fe80::a00:27ff:fe75:c4f1%wg0 prefixlen 64 scopeid 0x6
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun wg
   Opened by PID 59450

[mimugmail]

Are you sure you've manually imported the private key? With AzireVPN you have to use the private key they sent you.

[abalsam]

I did a copy/paste from the configuration file they sent me yes.

[abalsam]

I found and reviewed the wg0.conf file on my opnsense box with the azire conf file I downloaded.  The only differences are:
No DNS field on OPNSense (not in the plugin)
Server listening port configured.

I suspect that the issue is that when I start the wireguard service locally because of the listening port opnsense is listening for an incoming connection from Azire.  When I tried to remove the listening port, the plugin gave me an error.  I can send you a copy of my wg0.conf and downloaded conf from azire (with keys removed) if you feel that would be useful.

Thanks

[mimugmail]

There were my settings:

https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/

The only thing which could break things is when you have another PIA or OpenVPN based service also pushing you Default gateway.

When you insert the private key they sent you and the Tunnel Address there can't be something wrong.

[abalsam]

Thank you.  My next step is to turn on packet capturing on my test opnsense box and its gateway to see what is happening. I will keep you posted.

[mimugmail]

I just tried my AzireVPN tunnel from last week and it didn't work.
After some tests I switched to a different server (from SW to ES) and now it works.

Perhaps you just have to switch the server to a different location?

[MrB]

Updated to 18.7.3 and had a new go at getting Wireguard up 'n running with Mullvad VPN and I am glad to report that now it's working 

To my knowledge I didn't do anything differently, so probably just a typo or something I made initially (deleted config, fw rules, gateway etc. before giving it a new go).

Anyway, works like a charm so many thanks for all the hard work.

[mimugmail]

Thanks for reporting back. Guys at Mullad gave me a test account .. I'll add a guide to the official documentation soon when other things are pulled.

[ruggerio]

i give it a try too, will do roadwarrior c2s-config for Windows, Linux and Android, if this is still needed.

[mimugmail]

You can try, but WireGuard port itself is a bit broken, when restarting the service the interface hangs. So ATM it only works after a reboot and you dont have to touch the config.

Still waiting for a fix ...

[ruggerio]

ouch....service restart is not enough? I got it somehow working on android, but usually a roadwarrior should get an ip from the server. With the actual config, it means, that each client has to have his unique combo Key/IP placed in Wireguard?

In some documentation i found, that you should not enter a public ip on the peer side, you only need the tunnel-adress (which means the client-IP in that case?

[mimugmail]

These are my writeups:

https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

And:

https://github.com/opnsense/docs/pull/49/files
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/wireguard-client.rst
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/wireguard-s2s

[ruggerio]

Hi,

I was using the manual from you

You mentionned the outgoing NAT-Rule, which is correct. What i mean is missing is an incoming rule in your example on the WAN for Port 51820/UDP

It's been working fine with that, got it running on Android using the Wireguard-Client from Play Store. What if find a little bit painful:

1) is it really necessary to create an endpoint-entry for each connecting client?
 --> not necessary!
2) i was trying to set no ip on the client-endpoint side of the opnsense, but you need to have one on the android-side, otherwise i got rejected.
 --> If just setting tunnel ips on server and endpoint, you can use any ip in the ip-range of the tunnel-network

it seems, that wireguard is still under heavy development. What i feel is missing (or i even did not see it):

1) using DHCP for the internal network, so you don't have to issue an ip for each client  and set one endpoint on the opnsense for all clients

2) an option to connect via user-credentials e.g. using radius or ldap in combination with the keys.

otherwise, it would be a relative "easy" setup. What i also saw, the Android-Client show connected, even if its not connected. The handshake-Tab showing the actual connections would be very helpful.
 --> they are shown by tunnel, but not by connected client.

btw. i got back to production, letting the plugin on it. But this crashed my Firewall-Alias-Table *shudder*. My kids haven't been glad about that

[mimugmail]

1) is it really necessary to create an endpoint-entry for each connecting client?
 --> not necessary!

Necessary, otherwise all would have same keys ..

1) using DHCP for the internal network, so you don't have to issue an ip for each client  and set one endpoint on the opnsense for all clients

That's not the way it works ..

2) an option to connect via user-credentials e.g. using radius or ldap in combination with the keys.

Nope, will not come .. then it would just be a clone of OpenVPN

otherwise, it would be a relative "easy" setup. What i also saw, the Android-Client show connected, even if its not connected. The handshake-Tab showing the actual connections would be very helpful.
 --> they are shown by tunnel, but not by connected client.

Most problematic with setup is exchanging keys, esp. on Android.