Jump to content
Not connected, Your IP: 216.73.216.47
mazgacash

ANSWERED [SOLVED] OPNSense WireGuard configuration

Recommended Posts

Hi, after years of using pfSense with OpenVPN i wanna migrate to opnsense and wireguard.
In OPNsense documentation https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html Step 2 i´ve to set a gateway ip as also used in step 6 but i dont know which ip i should set.
my primary setup would be that one interface on opnsense go out throug airvpn.
can somebody help me please or give ma a hint?

regards ng

Share this post


Link to post

Im at the same problem guys, instead of useless replies can someone please just post a solution or a link because my searches are coming up empty.

Ive ran for years on pfsense with openvpn and I have setup an openvpn on opnsense now as well. It works the same as on pfsense. Once the VPN is up and the interface created and activated, two gateways appear automatically which can be customized and used in firewall rules for routing traffic.

With Wireguard, the gateways don't appear. The connection seems to work :
 

interface: wg1
  public key: abc123blablabla=
  private key: (hidden)
  listening port: 9829

peer: whateverrandomkey=
  preshared key: (hidden)
  endpoint: 213.152.162.148:1637
  allowed ips: 0.0.0.0/0
  latest handshake: 16 seconds ago
  transfer: 9.43 KiB received, 2.89 KiB sent
  persistent keepalive: every 15 seconds
and handshake appears as well.

Any help would be appreciated!

Share this post


Link to post
7 hours ago, go558a83nk said:

there may not be very many people here that run opnsense.  I wish I could help but I'm still using pfsense.

Its very similar. Did your gateway appear automatically after creating the wireguard connection and interface? Mine doesn't.

To which server are you connecting and what gateway address does it pick?

Thanks!

Share this post


Link to post
7 hours ago, securvark said:
Its very similar. Did your gateway appear automatically after creating the wireguard connection and interface? Mine doesn't.

To which server are you connecting and what gateway address does it pick?

Thanks!

If I recall correctly the interface must be setup manually *and* then the gateway.  So, no, it doesn't appear automatically.

Share this post


Link to post
13 minutes ago, go558a83nk said:

If I recall correctly the interface must be setup manually *and* then the gateway.  So, no, it doesn't appear automatically.
Oke, that's oke I can do that .. but where do I find the gateway address?

With OpenVPN, the gateway address is set to "dynamic", and I cannot select the same when I create a gateway manually so I still need a gateway address in order to manually create the gateway.

Thanks!

 

Share this post


Link to post
12 minutes ago, securvark said:
Oke, that's oke I can do that .. but where do I find the gateway address?

With OpenVPN, the gateway address is set to "dynamic", and I cannot select the same when I create a gateway manually so I still need a gateway address in order to manually create the gateway.

Thanks!

 
 
I'm pretty sure I followed a guide back when I first started using wireguard on pfsense...a guide made by the guy that made the wireguard add-on package.  Anyway, I have gateway address set to the same as interface address.  When creating the interface I have to put in the internal IP that's given to me in the config and the same one goes in the gateway.

Share this post


Link to post

I cannot edt the subject, I would tag it [resolved] but its not my topic.

Nevertheless, the solution (for me) was this tickbox on the interface for the tunnel:

image.thumb.png.cc0192829e00237fa27bab1bdaa6cc64.png

Share this post


Link to post
8 minutes ago, securvark said:

I cannot edt the subject, I would tag it [resolved] but its not my topic.

Nevertheless, the solution (for me) was this tickbox on the interface for the tunnel:

image.thumb.png.cc0192829e00237fa27bab1bdaa6cc64.png


and I wouldn't have even known that since I don't think I've ever seen that in pfsense :D

Share this post


Link to post
1 hour ago, go558a83nk said:

and I wouldn't have even known that since I don't think I've ever seen that in pfsense :D

I overlooked it until today. The gateway is automatically created similarly to how its created when adding a OpenVPN interface. In that case, I don't need to enable this.

Creating a manual gateway with address 'dynamic' isn't possible and using the interface address as a gateway address doesn't work, even though the gateway seems to work and a monitor IP seems to be reachable.

Share this post


Link to post

generate your airvpn configuration file
under interface address is the key here... and the number you need for each tunnel

create a successful Wireguard connection and Enable it if it doesn't handshake start over until it does.    then go to interface> assignments and enable and name appropriate the WG1 interface that now shows up
 IP configuration type is static ip4 MTU should be 1420. at least that works for me 

at the Very bottom Static IP4 should be your interface IP address in the configuration file.
your not done.   upstream gateway should be created AND assigned and its that same number... auto detected is absolutely incorrect 



 

Share this post


Link to post
On 6/23/2023 at 11:12 PM, theocean said:

In case this helps anyone in future - When creating a port forward for a Wireguard interface in OPNSense, the automatic firewall that is created doesn't work.

To fix this, go to the wireguard interface firewall rules.  Create a new rule that's the same as the automatic firewall rule, except click "Advanced features: Show/Hide" and set "reply-to" to the wireguard interface.  Then go back to the port forward rule and set "Filter rule association" to "None" to remove the original (broken) firewall rule.

 


THANKS!
This is not only WireGuard specific, but also has to be done for OpenVPN. And: Do not forget to move the newly created rule (with the correct reply-to settings) to the top.

Share this post


Link to post
On 6/23/2023 at 9:12 PM, theocean said:

In case this helps anyone in future - When creating a port forward for a Wireguard interface in OPNSense, the automatic firewall that is created doesn't work.

To fix this, go to the wireguard interface firewall rules.  Create a new rule that's the same as the automatic firewall rule, except click "Advanced features: Show/Hide" and set "reply-to" to the wireguard interface.  Then go back to the port forward rule and set "Filter rule association" to "None" to remove the original (broken) firewall rule.

 


omg you're a hero, thank you so much for this tip!

I spend troubleshooting this for around a day and finally was able to get it solved, thank you!!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...