Wireguard in opnsense

[ruggerio]

Necessary, otherwise all would have same keys ..

...which would make a per client-endpoint on the opnsense useless, as you could use the same for all?

1) using DHCP for the internal network, so you don't have to issue an ip for each client  and set one endpoint on the opnsense for all clients

That's not the way it works ..

This would mean, it's not favourable for roadwarrior-setup in bigger environments, isn't it?

2) an option to connect via user-credentials e.g. using radius or ldap in combination with the keys.

Nope, will not come .. then it would just be a clone of OpenVPN :)

Good issue :)

the main goal of wireguard is i think s2s-vpn?

[ruggerio]

One good thing to add in the wireguard package would be adding a outbound-nat-rule in the firewall, when adding wireguard. Now you have to switch to hybrid and add it manually. openvpn adds this automatically.

[seitzbg]

Does this still work?  I have updated to OPNsense 19.1.b_167 and don't have any luck adding an endpoint and connecting.  Via CLI 'wg' shows nothing.  Any help appreciated.

[mimugmail]

Sure it works, but the port itself crashes when restarting too often.

You can try to configure it without "Enable" ticked and after finishing enable, hoping it doesn't crash and never touch it :)

It takes some time to fix this upstream.

[ljm42]

The WireGuard plugin is working great in on 18.7.9, thanks for this.

Would you consider adding an option to download a .conf file for each client/endpoint?  Even more impressive would be to create a QR code as described here:
  https://wiki.debian.org/Wireguard#A3

Any thoughts to add a widget to the dashboard, similar to the one for OpenVPN?

[mimugmail]

No, there are currently no plans for any of these, sorry. We'll have to wait until we can move the plugin to stable

[JDtheHutt]

Would you consider adding an option to download a .conf file for each client/endpoint?  Even more impressive would be to create a QR code as described here:
  https://wiki.debian.org/Wireguard#A3

If you have any Android devices, you can try setting up endpoint configs on the Wireguard app and then export the tunnel config to a zip to then pass to any other Android users you want to have them. I have no idea if those exported configs can be imported into other systems, but worth a go.

[JDtheHutt]

mimugmail, I hope you can help please.  I have a fresh OPNsense install using 18.7.9 and am trying to setup Wireguard to connect to Mullvad and push all traffic through the tunnel.  I have followed your Azire guide, substituting where needed for Mullvad's config, but I just cannot get it to work as expected.  It seems that the system treats the Mullvad gateway as perpetually down, instead pushing all traffic to my WAN, and I cannot work out why.  If I tick to skip rules when the gateway is down, I see only a wall of blocking in the firewall logs.  If I leave it unticked, all traffic goes out via my raw WAN connection instead.  I have tried various other guides too and none of them work.

Is it that something has changed or broken in 0.8_1 please, or am I doing something wrong?  I have successfully setup WG connections from my Android devices back to my LAN with no issue, so I assumed this wouldn't be much harder, but it has me stumped so far.  My final goal is to be able to have my external devices able to connect to my LAN and all traffic from my LAN and any connecting devices to go back out via Mullvad.

[mimugmail]

You tried this?

https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

[JDtheHutt]

You tried this?

https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

I have.  It kind of works but not fully.  I get a WG tunnel established, can see the handshake, and using Mullvad's tools as well as some third parties, I see a secure connection established to Mullvad with an IP I expect via them, no DNS leaks, no WebRTC leaks and IP not blacklisted.  Everything appears secure and as desired.  Firewall logs show lots of traffic passing outbound through wg2 rather than WAN, with a small amount of inbound traffic attempts via WAN and wg2 being denied.  Mostly green and seems nothing out of the ordinary.

The issue I am having with this setup though is that while some websites and connections work perfectly, others are utterly inoperable or intermittent.  Gmail is barely operable, locking up and if loaded various services such as Hangouts etc don't work as expected.  They seem to allow outbound traffic as others receive my messages I post but I don't see anything from them.  BBC News is completely inaccessible, as are a bunch of other sites, while others including this this forum respond perfectly (EDIT: Not perfectly, can login and read but unable to post till I disabled WG and returned to my WAN).  Steam collapses as well, lets me startup and login but the store keeps failing and the friends service cannot connect.

I can ping sites that I cannot connect to, from my various network client devices on wired and wireless.  I can also ping and resolve addresses within OPNsense but that I assume is down to the NAT rule for keeping localhost traffic out via WAN.  However, I have found that even though I can ping the failing sites from my client devices, a traceroute fails to them as it hits Mullvad's WG exit node.  I have tried GB1, 2 and 3, as well as one of their Swedish nodes.  So, is this all working perfectly my end and actually some kind of Mullvad issue with their WG exits/DNS that only affects certain IPs?

[JDtheHutt]

I think I've worked it out.  Have been scouring for info where others may be affected and found some comments by other Wireguard users regarding similar behaviour i.e. some sites working fine, others being intermittent, others inaccessible.  It is the MTU and MSS settings, seems the packets flowing through WG are not happy at all about the default sizes and something is preventing the communication to resolve this.  I have forced them manually to 1200 MTU and 1000 MSS, and suddenly everything went back to working, with all traffic flowing to Mullvad and out from there.  I'll have to tinker to find where the cutoff point is.

I'm not sure if this is caused by something I've missed in the config somewhere.  I've gone back to default setup and followed multiple guides, all of which have resulted in the same, so I assume either this just affects all WG, or all WG via Mullvad, or I'm setting/failing to set something which affects the MTU/MSS auto-discovery.  If that's the case, please advise.

The only other issue I need to deal with now is that any changes to the firewall or interface settings drops the WG connection and it doesn't reconnect automatically, so all traffic starts going back through the WAN.  Have to disable and re-enable WG to get it working again.  I'm hoping that this fix may mean the system considers a gateway through my WG interface to be up now, so I can stick some stricter controls in.

EDIT: Further testing, and a setting of 1400 MTU/1360 MSS seems optimal.  Anything higher causes my connection to start falling apart, with around a 50% reduction in download speeds, and intermittent behaviour by sites.  Above 1440/1400 it becomes worse and 1460/1420 or higher is back to mostly unusable.

EDIT AGAIN: Steam remained unstable at 1400/1360.  Dropping to 1380/1340 has resolved that as well.

[JDtheHutt]

Decided to try and sort the gateway tonight as well, and I have no idea what is going on with this.

Used your guide for reference, as well as the one on the OPNsense How To.  Setup the gateway using the Wireguard interface.  Amended my firewall rule to pass LAN traffic through the gateway only.  Set a NAT for the Wireguard interface to the Mullvad IP assigned to me.

It all worked as expected.  I thought I'd see what happened if I took the WG gateway offline, so I marked it as down.  Traffic continued to pass through.  I disabled the WG gateway, traffic continued to pass through.  Check with Mullvad shows I am still secure through WG, as do third party sites, which confused me a little.  Disabling WG itself finally causes traffic to shunt back through the WAN gateway, I assume as the auto rules kicked in to pass back to the default gateway.  Setting this to skip the auto rules finally cuts off all traffic via the WAN as the firewall rules I have set still define to go via the WG gateway.

Re-enabling everything, traffic is still blocked from the WG gateway if the skip rules box is ticked.  It seems that, with this enabled, the WG gateway is always considered down by the system even if I have ticked for that gateway to always be considered up.  I don't think I've made any errors here, but please advise if I've missed something, or if this is known to currently not work.  To confirm, I did try restarts and flushing states as well, but no effect on this.

[mimugmail]

Can you rephrase in one sentence what you want to achieve and then give some facts (IP's) etc. and screenshot of rules, outbound nat, wireguard config, assigned interface and gateway

[JDtheHutt]

Can you rephrase in one sentence what you want to achieve and then give some facts (IP's) etc. and screenshot of rules, outbound nat, wireguard config, assigned interface and gateway

Sorry, looking back at my posts, it is a lot of waffle. The result of coming off a long shift, dealing with kids then deciding it's a great idea to bash your tired head against a system into the early hours. I'll tidy up when I get home.

[JDtheHutt]

Can you rephrase in one sentence what you want to achieve and then give some facts (IP's) etc. and screenshot of rules, outbound nat, wireguard config, assigned interface and gateway

Desired setup: Wireguard connection between OPNsense and Mullvad through which all network traffic is transferred.  Additionally, separate Wireguard connections between OPNsense and some roaming external devices i.e. Android phones, laptops etc, which should be able to connect to my internal LAN devices and to the internet via my Mullvad Wireguard connection.

I possess a static IPv4 address with my ISP, which simplifies my personal WG connection between external devices and my home network as no need to mess with dynamic IP services.

Following guides including those at https://www.routerperformance.net/ and https://wiki.opnsense.org/manual/howtos.html I can get either my connection to Mullvad, or my personal connections from devices to my LAN, but I just can't seem to get both working at the same time.  At this time, I have deleted all Rules and NAT relating to my personal WG->LAN connections as it had become a mess of testing and wasn't really helping

Additionally, with my Mullvad connection, my traffic seems to correctly go via the gateway I have set up for the interface, but if I go to Firewall->Advanced and tick "Skip rules when gateway is down" then all traffic is blocked.  I'm not sure whether the gateway is working in the first place or if it is incorrectly believing the gateway is down. 

Also, any changes to my interfaces result in my Mullvad WG connection dropping and not automatically re-establishing.  I have to manually disable and enable WG to force a reconnection.  Is this a known issue, or have I configured something incorrectly?

If you could advise me, I would really appreciate it.  I'm probably going to wonder why I was such an idiot once you point out what I should have done.

LAN: 10.17.42.0
OPNSense: 10.17.42.1
WG personal inbound tunnel network: 10.17.50.1
WG personal inbound client: 10.17.50.2

Gateways


Interface Assignments


Firewall Rules: Categories (Any not displayed in detail are due to no rules set in the category)


Firewall Rules: Floating


Firewall Rules: WAN (IDNET)


Firewall Rules: LAN


NAT: Outbound


WG - Mullvad Local


WG - Mullvad Endpoint


WG - Personal Inbound Local


WG - Personal Inbound Endpoint