Wireguard in opnsense

mimugmail · May 25, 2019, 06:59:13 AM

Everyone saying it's easier never did it on it's own ;)

firewall · May 31, 2019, 02:58:05 AM

Quote from: mimugmail on May 25, 2019, 06:59:13 AM
Everyone saying it's easier never did it on it's own ;)

i finally got it working but was disappointed to find it was half the speed of openvpn via mullvad. i'll have to circle back to it later after further development.

mimugmail · May 31, 2019, 06:02:18 AM

Do you have correct MTU values? Perhaps you lower the MSS of LAN?
In my tests it was 5-10x faster, nearly IPSEC speed.

firewall · May 31, 2019, 07:20:10 PM

Quote from: mimugmail on May 31, 2019, 06:02:18 AM
Do you have correct MTU values? Perhaps you lower the MSS of LAN?
In my tests it was 5-10x faster, nearly IPSEC speed.

No dice, unfortunately. I just tried scaling back MSS 1450, 1400, 1350 and it only had negative impact. Tried both the LAN and WG interfaces.

For tuning purposes I was using "ping -D -s 1450 -S <local wg ip> <mullvad wg endpoint>" from opnsense shell to find ballpark MSS. Let me know if you know of a better approach or know of a good MTU/MSS guide around these parts.

mimugmail · May 31, 2019, 08:40:32 PM

Whats your speed and Hardware?

firewall · May 31, 2019, 09:36:57 PM

Quote from: mimugmail on May 31, 2019, 08:40:32 PM
Whats your speed and Hardware?

ISP is gigabit.

HW is Qotom-Q575G6-S05 (i7 7500U).

Direct connection (routed through OPN without VPN) yields ~700mb/s before OPN services kick in then it scales back to ~450mb/s.

OPN route through OpenVPN: 280 mb/s
OPN route through WG: 230 mb/s

marr1977 · June 05, 2019, 10:44:23 PM

Just wanted to say that I managed to get things working with Mullvad without any trouble.

Ran
pkg install os-wireguard-devel
and then followed the guide at https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html.

My only comment on the guide is that the Mullvad Wireguard IP/port is not obvious from the server list at https://www.mullvad.net/en/servers/#wireguard. You can ping an host (e.g. au1-wireguard.mullvad.net) to get an IP. To get the port you can download a configuration file at https://mullvad.net/en/download/wireguard-config/ and in one of the files in the zip archive the host and port are listed for the server you chose.

Also, remember that Mullvad has discontinued free trial periods on new accounts.

firewall · June 12, 2019, 12:34:35 AM

Quote from: marr1977 on June 05, 2019, 10:44:23 PM
Just wanted to say that I managed to get things working with Mullvad without any trouble.

What kind of speeds are you achieving relative to OVPN? I tested all endpoints in NAM and they all came up short of OVPN throughput.

ruggerio · June 12, 2019, 01:51:32 PM

i have now 2 roadwarriors connecting to my opnsense. On it, it looks like this:

interface: wg0
public key: wg0key=
private key: (hidden)
listening port: 51820

peer: client1key=
endpoint: ip:13595
allowed ips: 192.168.11.0/24
latest handshake: 25 seconds ago
transfer: 1011.63 KiB received, 4.03 MiB sent

peer: client2key=
endpoint: otherip:63680
allowed ips: (none)
latest handshake: 1 minute, 9 seconds ago
transfer: 0 B received, 3.03 KiB sent

why to heck do i get allowed ips (none)?

Client1 is working well, i copied the config from client2 and changed key and ip-adress, thats all.

wg0.conf on the sense looks like this:
[Interface]
Address = 192.168.11.1/24
ListenPort = 51820
PrivateKey = privatekey=
[Peer]
PublicKey = key=
AllowedIPs = 192.168.11.10/24
[Peer]
PublicKey = key=
AllowedIPs = 192.168.11.20/24

And a client-config looks like this:

[Interface]
PrivateKey = key=
Address = 192.168.11.20/24
DNS = 192.168.1.1

[Peer]
PublicKey = key=
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.mydomain.com:51820

...i don't get it, why i can connect just with one client... :(

What WAS wrong:
in opnsense GUI use the allowed IP's with Netmask 32, not 24, as it should not overleap. I changed to 192.168.11.10/32 and 192.168.11.20/32 - works.

Devil is in detail...

ruggerio · June 14, 2019, 02:35:15 PM

Before i forget:

it would be great, to create an autorule in NAT for outbound connections. For the moment, i have it in hybrid mode, which would be unnecessary, if it would be there, when the services were activated.

mimugmail · June 14, 2019, 03:22:35 PM

I dont like auto rules as they tend to break complex setups, sorry.

ruggerio · June 17, 2019, 09:24:42 AM

That might be. I wouldn't do that also not by default, but as it is in Proxy, giving the option to let it be done. So it's the decision of the user.

In each case, it would it make much easier for SOHO-Users, which are not that experienced.

ruggerio · July 17, 2019, 11:31:25 AM

Congrats to today's golive as 1.0 in 19.7.

Roger

rth · August 15, 2019, 07:45:11 AM

Is there a migration from the package to the plugin? Don't want to just pull the trigger and break it...

mimugmail · August 15, 2019, 11:12:41 AM

Nope, sorry

Wireguard in opnsense

mimugmail

May 25, 2019, 06:59:13 AM #120

firewall

May 31, 2019, 02:58:05 AM #121

mimugmail

May 31, 2019, 06:02:18 AM #122

firewall

May 31, 2019, 07:20:10 PM #123

mimugmail

May 31, 2019, 08:40:32 PM #124

firewall

May 31, 2019, 09:36:57 PM #125

marr1977

June 05, 2019, 10:44:23 PM #126

firewall

June 12, 2019, 12:34:35 AM #127

ruggerio

June 12, 2019, 01:51:32 PM #128 Last Edit: June 14, 2019, 02:29:18 PM by ruggerio

ruggerio

June 14, 2019, 02:35:15 PM #129

mimugmail

June 14, 2019, 03:22:35 PM #130

ruggerio

June 17, 2019, 09:24:42 AM #131

ruggerio

July 17, 2019, 11:31:25 AM #132

rth

August 15, 2019, 07:45:11 AM #133

mimugmail

August 15, 2019, 11:12:41 AM #134