Jump to content
Not connected, Your IP: 18.119.118.237
Sj0rs

HOWTO: OPNsense and Wireguard to AirVPN

Recommended Posts


This HOWTO describes how to connect to AirVPN with a Wireguard VPN tunnel from OPNsense.
This is the first draft of this howto, i might add (more) screenshots later on.
 
  • Version: 0.1
  • Date: 20231029

What we are going to achieve
  1. We'll create a single Wireguard VPN Tunnel, IPv4 Only.
  2. Traffic to the tunnel will be NATted

Requirements
  1. OPNsense firewall is up-and-running and updated. This howto is based on version 23.7.7_1
  2. You have basic knowledge on using OPNsense i.e. firewall rules, NAT, routing, gateways and aliases.
  3. AirVPN Premium Access

Step 1. Information gathering
We'll grab some info that we need to configure the Wireguard Tunnel.
  1. Go to the Client Area.
  2. Got to VPN Devices.
  3. Add a device or edit your existing device.
  4. Note your Public Key and IPv4 under the heading "Wireguard"
  5. Go back to the Client Aerea.
  6. Go to Config Generator
  7. Select "router" under "Choose your OS"
  8. Select "Wireguard under "Choose protocols"
  9. Select your country under "By Countries". I selected Netherlands
  10. Scroll way down and download your config.

This is an example of a Wireguard config:
(the keys and IP are random and will not work, use your own)
 
[Interface]
Address = 10.45.95.123/32
PrivateKey = X72xgdx23XDomnSXmcy#S4Jc#9Y5G*vU$wg^n499yn6
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = VTSQ77Uk4^&RY4h%S$#9h8PR2T&xyya&yPTtk6oD^m$
PresharedKey = b7&&7bntmCS5q%&4J*mSKBAUvV4XEqHerwscvbappXQ
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Step 2. Create the Tunnel configuration
Peer configuration:
  1. in OPNsense go to VPN|Wireguard|Settings|Peers.
  2. Create a peer with the following information:
    1. Name: wg_airvpn_<country code>. mine is called wg_airvpn_nl
    2. Public key: <PublicKey under heading [Peer] of your generated WG Config>
    3. Pre-shared key <presharedKey under heading [Peer] of your generated WG Config>
    4. Allowed IP's: 0.0.0.0/0
    5. Endpoint Address: <Endpoint under heading [Peer] of your generated WG Config>
    6. Endpoint port: 1637 (default port)
    7. Keepalive interval: 15 (default interval)

Instance configuration:
  1. in OPNsense go to VPN|Wireguard|Settings|Instances
  2. Create an instance with the following information:
    1. Enable Advanced Mode.
    2. Name: <Endpoint Name i.e. nl.vpn.airdns.org>
    3. Public Key: <Public Key as noted with step 1.4>
    4. Private Key: <PrivateKey under heading [Interface] of your generated WG Config>
    5. Listen Port: 1637
    6. MTU: 1320
    7. Tunnel Address: <Address including /32 under harding [Interface] of your generated WG Config>
    8. Peers: <select peer that you created with step 2.2>
    9. Disable routes: Enabled.

Step 3. Make an exception on your WAN interface
  1. in OPNsense go to Firewall|Rules
  2. Select your WAN interface, mine is called WAN_PPPOE
  3. Create a Pass rule for IPv4/UDP port 1647 to your WAN-address.

Step 4. Assign Wireguard Interface
  1. in OPNsense go to Interfaces|Assignments
  2. You'll find a "wg1(Wireguard - nl.vpn.airdns.org)" (or similiar) interface.
  3. bind it to an interface with a name of your choice. mine is called WAN_WG1 as is is the first site-to-site Wireguard tunnel on my WAN interface.

Step 5. Create a gateway.
Remember we disabled the routes for the WG instance configuration? Because of that we need to create a gateway.
  1. In OPNsense go to System|Gateways|Single
  2. Add a Gateway with the following information:
    1. Name: WAN_WG_GW
    2. Description: Interface WAN_WG1 Gateway
    3. Interface: Select WAN_WG1 as created in step 4.
    4. Address Family: IPv4
    5. IP address: Dynamic (leave empty)
    6. Far Gateway: Enabled (this i am not sure of but for now i'm happy it works)
    7. Disable Gateway Monitoring: enabled

Step 6. Aliases
We set up some aliases. This will make it more easy to redirect some hosts or networks to the Wireguard tunnel.
  1. in OPNsense, go to Firewall|Aliases
  2. Create host entries for the specific hosts you'll redirect
  3. Create network entries for the specific network(s) you'll redirect.
  4. Create a Network Group Entry with the host and network entries to group them together. My alias is called networkgroup_wireguard

Step 7. Create Outbound NAT for Wireguard.
(In my setup, i use Manual Outbound Rule Generation because i like to have control)
  1. In OPNsense go to Firewall|NAT|Outbound
  2. Create a new Outbound NAT rule with the following information:
    1. Interface: WAN_WG1
    2. TCP/IP version: IPv4
    3. Protocol: Any
    4. Source Address: <alias networkgroup_wireguard from step 6>
    5. Translation /target WAN_WG1 address
    6. Description: Wireguard VPN Outbound NAT rule

Step 8. Create Outbound Redirect rule.
In this example we create 2 rules on our LAN interface, one for redirecting to WG, the other to prevent leaks.
  1. In OPNsense go to Firewall|Rules
  2. Select your LAN interface
  3. add an outbound Pass rule:
    1. Action: Pass
    2. Source: Networkgroup_wireguard
    3. Destination: Any (in my case i use an inverted network group called networkgroup_local where all my local vlans are grouped together)
    4. Gateway: WAN_WG1_GW (the gateway you created in step 5.)
  4. Add an outbound block rule below that:
    1. Action: Block
    2. Source: Networkgroup_wireguard
    3. Destination: Any
    4. Gateway: default

Your WG VPN tunnel should now work. Test with https://ipleak.net

The following steps are more advanced and i'm still finetuning/experimenting with the settings. your experience may vary.


Step 9. Prevent VPN leakage
I'm new to OPNsense and i am not sure what the default setting is, but from my pfSense experience i know the following setting is important when you want to make sure your VPN does not leak when for instance the tunnel is down.
  1. In OPNsense go to Firewall|Settings|Advanced
  2. Under "Gateway Monitoring" enable "Skip Rules when gateway is down"

Step 10. MTU/MSS optimization
For now i have set thte MTU according to the default setting of AirVPN. I want it to be higher but for now i'm just happy it works.
My settings are as follows:
  1. In the properties of the WAN_WG1 interface i set the MTU to 1320 and the MSS to 1280.
  2. I created a normalize rule (Firewall|Settings|Normalization) with the following settings. this should enable me to clamp the MSS to 1280 for the wireguard group but leave the MSS to the desired setting (1452) as defined on my LAN interface for the rest of the hosts on my LAN;
    1. Interface: LAN
    2. Direction, Protocol: Any
    3. Source: networkgroup_wireguard
    4. Max MSS: 1280






 

Share this post


Link to post

Guides are always appreciated, thank you for the time you invested into it. Screenshots would be a blast. :)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
Posted ... (edited)

Hey, pictures would make this post indeed so much better.


So, I have done it and posted below. Please note the following:

 

  1. My OPNsense Firewall is "clean" I did a factory reset before conducting the steps and completing the guide.
  2. For simplicity, I copy and pasted most of the Text but added it with the missing pictured and did fix where I believe it was necessary. All Credits for this goes to the original poster @Sj0rs
  3. I configure OPNsense from the WAN interface. To do this, I did the following steps as a preparation before this guide.

Disclaimer

In general, DO NOT TRUST ME ! I'm not a security expert. I do not know what I'm doing here !

Preparation (not required if you access the firewall from LAN)

Some advice here… Opening the WAN interface to allow administration is not good ! I am doing this because the firewall sits in my private LAN, and I'm not doing any port forwarding on my main router ! If your firewall is connected directly to the internet, do not do this !
Again, in general, DO NOT TRUST ME ! I'm not a security expert. I do not know what I'm doing here !


Now that you know it…

1. Deselect "Block private networks" and "Block bogon networks" in Interfaces → WAN. After doing so: hit save and "Apply changes".
image.thumb.png.9f33c35f0721e3b4d50c0810ba70dcce.png

2. Select "Disable reply-to" in Firewall → Settings → Advanced. Hit save at the end.
image.thumb.png.4a19a003dda7e068d5e392abbacd2943.png

3. Add incoming WAN rule to allow administration. Go to Firewall → Rules → WAN

Add a TCP rule from "WAN net" to "This Firewall" on HTTPs.

image.thumb.png.64fbf8c43390ab7f1a5efcb4da984f06.png

Step 1. Information gathering.

We'll grab some info that we need to configure the WireGuard Tunnel.

  1. Go to the Client Area.
  2. Got to VPN Devices.
  3. Add a device or edit your existing device.
  4. Note your Public Key and IPv4 under the heading "WireGuard"
  5. Go back to the Client Area.
  6. Go to Config Generator
  7. Select "router" under "Choose your OS"
  8. Select "WireGuard under "Choose protocols"
  9. Select your country under "By Countries". I selected Netherlands
  10. Scroll way down and download your config.


This is an example of a WireGuard config:
(the keys and IP are random and will not work, use your own)

[Interface]
Address = 10.10.10.10/32
PrivateKey = X72xgdx23XDomnSXmcy#S4Jc#9Y5G*vU$wg^n499yn6
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = VTSQ77Uk4^&RY4h%S$#9h8PR2T&xyya&yPTtk6oD^m$
PresharedKey = b7&&7bntmCS5q%&4J*mSKBAUvV4XEqHerwscvbappXQ
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Step 2. Create the Tunnel configuration.

Pre Configuration — Install WireGuard plugin


0.1 Go to System → Firmware → Plugins and install the "os-wireguard" plugin.

Peer configuration:

  1. in OPNsense go to VPN → WireGuard → Settings → Peers.
  2. Create a peer with the following information:
    1. Name: wg_airvpn_<country code>. Mine is called wg_airvpn_nl
    2. Public key: <PublicKey under heading [Peer] of your generated WG Config>
    3. Pre-shared key <presharedKey under heading [Peer] of your generated WG Config>
    4. Allowed IP's: 0.0.0.0/0
    5. Endpoint Address: <Endpoint under heading [Peer] of your generated WG Config>
    6. Endpoint port: 1637 (default port)
    7. Keepalive interval: 15 (default interval)

image.png.3bfd6562f9aaa184ddd4775741356e4b.png

Click "Save" and you should see the below

image.thumb.png.8ddd289a22abb8ff971c046e2cec8df9.png


Instance configuration:

  1. in OPNsense go to VPN → Wireguard → Settings → Instances
  2. Create an instance with the following information:
    1. Enable Advanced Mode. (upper left corner)
    2. Name: <Endpoint Name i.e. nl.vpn.airdns.org>
    3. Public Key: <Public Key as noted with step 1.4>
    4. Private Key: <PrivateKey under heading [Interface] of your generated WG Config>
    5. Listen Port: 1637
    6. MTU: 1320
    7. Tunnel Address: <Address including /32 under harding [Interface] of your generated WG Config>
    8. Peers: <select peer that you created with step 2.2>
    9. Disable routes: Enabled.

image.thumb.png.4c304df0ddd45dbde8aec4c16ac989f9.png
Hit the "Save" button.

image.thumb.png.4156c0f900bad47e36abee3c107df5eb.png
 

Enable WireGuard configuration

Go to VPN → Wireguard → Settings → General and click on "Enable WireGuard"

image.png.14271ed1e1896d07f41a9ae744600b46.png

Hit "Apply"

Step 3. Make an exception on your WAN interface

  1. in OPNsense go to Firewall → Rules → WAN
  2. On the WAN interface, default is called WAN, create a Pass rule for IPv4/UDP port 1647 to your WAN-address.

image.thumb.png.ec2453440f092399f602d232722ca509.png

Scroll down and hit "Save". It should look like this:

image.thumb.png.37019884a3c0464392c692cbbe96b95a.png

 

Step 4. Assign WireGuard Interface

 

 

 

  1. in OPNsense go to Interfaces → Assignments
  2. You'll find a "wg1(WireGuard - nl.vpn.airdns.org)" (or similar) interface.
  3. bind it to an interface with a name of your choice. Mine is called WAN_WG1 as is the first site-to-site WireGuard tunnel on my WAN interface.

 

image.png.dd45ebc2ea6045dbe9ca22c8de38a326.png

 

Click the "Add" button

 

image.png.07dc1a6e6bd21c7577464832b0c3314a.png

 

Enable the Interface

Interfaces → Assignments → WAN_WG1

  1. Enable: Enable the Interface.
  2. Dynamic gateway policy: Selected (I found it's not working without this. Not sure why)

No further configuration required. Ensure the "Block private networks" and "Block bogon networks" options are not selected, as shown below.

 

image.thumb.png.0219a7f76bd09d7180c170762447b7ac.png

 

Hit "Save" and "Apply changes".

Step 5. Create a gateway.

Remember, we disabled the routes for the WG instance configuration? Because of that, we need to create a gateway.

 

  1. In OPNsense go to System → Gateways → Single
  2. Add a Gateway with the following information:
    1. Name: WAN_WG_GW
    2. Description: Interface WAN_WG1 Gateway
    3. Interface: Select WAN_WG1 as created in step 4.
    4. Address Family: IPv4
    5. IP address: Dynamic (leave empty)
    6. Far Gateway: Enabled (this I am not sure of, but for now I'm happy it works)
    7. Disable Gateway Monitoring: enabled

 

image.thumb.png.1c6e85a99a7868654c7c619c35d19a2e.png

 

Hit the "Save" button.

 

image.thumb.png.7df7d89c720efe339be4a655efe05a5b.png


Step 6. Aliases

I did not use aliases in my setup. I use the default LAN network group.

 

Step 7. Create Outbound NAT for WireGuard.

(In my setup, I use Manual Outbound Rule Generation because I like to have control)

 

  1. In OPNsense go to Firewall → NAT → Outbound
  2. Click "Manual outbound NAT rule generation" then "Save" then "Apply changes".

image.png.9d5db769d99080cca3568960f5af5e0e.png
 
  1. Create a new Outbound NAT rule with the following information:
    1. Interface: WAN_WG1
    2. TCP/IP version: IPv4
    3. Protocol: Any
    4. Source Address: LAN net (or use alias)
    5. Translation /target WAN_WG1 address
    6. Description: WireGuard VPN Outbound NAT rule

 

image.thumb.png.4a0da9ce79f69d0ca2c1f0b6b65610bd.png

 

 

Click the "Save" button and then the "Apply changes" button.

 

image.thumb.png.92ea05a6c27eb11ccfb672dffd63d6f2.png

 

Step 8. Create Outbound Redirect rule.

In this example we create 2 rules on our LAN interface, one for redirecting to WG, the other to prevent leaks.

  1. In OPNsense go to Firewall → Rules → LAN
  2. add an outbound Pass rule:
    1. Action: Pass
    2. Source: LAN net (or use alias)
    3. Destination: Any
    4. Gateway: WAN_WG_GW (the gateway you created in step 5.)

 

image.thumb.png.9c48d0191426fccf6f3a51f95b4261f9.png

 

Hit the "Save" button.

 

  1. Add an outbound block rule below that:
    1. Action: Block
    2. Source: LAN net
    3. Destination: Any
    4. Gateway: default

 

image.thumb.png.d26c11f8bbbb028f6bcf263f5a7803c7.png

 

 

Hit the "Save"  button and then the "Apply changes" button.

 

You need to disable the existing Default rules by clicking on the green arrow image.png.1ee82af7a0ca51380d9ba4b1ab6f12a5.png then "apply changes" again. (I have removed them as we do not need them anyway)

image.thumb.png.05bee4571ae04c132469d3e5e2ef13a4.png

 

 

Step 9. Prevent DNS leaks

  1. Create an alias to use all available AirVPN servers. Firewall → Aliases
  2. Click add
  3. Enable: selected
  4. Name: VPN_DNS
  5. Content: 10.4.0.1 128.0.1 10.5.0.1 10.7.0.1

image.thumb.png.ca2b086092aae56415b856a765b2f1d4.png

Click Save
 
  1. Create NAT port forward rule. Firewall → NAT → Port Forward
  2. Click Add
  3. Interface: LAN
  4. TCP/IP Version: IPv4
  5. Protocol: TCP/UP (DNS traffic is usually UDP, but I thought it's better to do it like this)
  6. Source: LAN net
  7. Destination: This Firewall
  8. Destination port range: DNS
  9. Redirect target IP: VPN_DNS (the alias we created in 9.1)
  10. Redirect target port: DNS
  11. NAT reflection: Disable
  12. Filter rule association: None

image.thumb.png.1773b0f40174da1daef657018681ada2.png

Hit "Save", then "Apply changes".

image.thumb.png.2135cb3323f7e396be195e6425b477dd.png



Your WG VPN tunnel should now work. Test with https://ipleak.net
 

Step 10. Port forwarding (Optional)

If you need port forwarding for something, make sure It's configured in your AirVPN Member settings !
 
  1. Firewall → Rules → WAN_WG1 →  Add
  2. Action: Pass
  3. Interface: WAN_WG1
  4. Direction: In
  5. Protocol: select your protocol
  6. Source: any (or if you can define it, do this here)
  7. Destination: Single host or Network and the IP of the device
  8. Destination port range: select the port (range)
  9. reply-to: WAN_WG1_GW (this is very Important!)

Hit "Save", then "Apply changes".
 
  1. Firewall → NAT→ Port Forward →  Add
  2. Interface: WAN_WG1
  3. Protocol: Same as in 10.5
  4. Destination: WAN_WG1 address
  5. Destination port range: Same as in 10.8
  6. Redirect target IP: Same as in 10.7
  7. Redirect target port: Same as in 10.8

Hit "Save", then "Apply changes".

That's it for port forwarding. Test the setting.
 

Let me know if something is not correct or clear.

 

END of the Guide... Everything below here can be ignored. It seems the board software adds all the pictures I have added again to the bottom of the post, so ignore everything below here ! Thanks


 

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

Edited ... by OPN-UserGuide
Update #6. Added port forwarding

Share this post


Link to post

Thank you for this HowTo. Seems to work great, though running just a few minutes and only checked for leaks.

Did you put this in a Network Security Forum to get it checked?

What would be needed to also enable IPv6?

Share this post


Link to post

Thank you for this post.

How to make an exemption for one of the PCs on LAN so that it can go out without VPN.

 

Share this post


Link to post
On 4/8/2024 at 9:23 PM, kaymio said:

Thank you for this HowTo. Seems to work great, though running just a few minutes and only checked for leaks.

Did you put this in a Network Security Forum to get it checked?

What would be needed to also enable IPv6?


Hi, I only saw your post today.
Which Forum you mean ?

I have not planned to include IPv6, but I will look into this. It might take a while, as I need to start from the scratch to make sure I got everything covered.

 

6 hours ago, sse450 said:

Thank you for this post.

How to make an exemption for one of the PCs on LAN so that it can go out without VPN.

 


If the client in on the LAN interface. Create a rule which is on top of the VPN out rule. Source the one client, destination any. Gateway the WAN GW
That should do it.

Share this post


Link to post

Many thanks for the help.

Actually, our office people complained about our VOIP as they cannot call outside. In a panic, I had to reverse all the rules I created in this how to.
I would like to re-enable them. But before it, UDP ports 5060, 10000-20000 should be open freely to get a working VOIP. Somehow, the rules in this how to prevented these ports. Following the disble all the steps, VOIP startted working.

Please find below a screenshot from my NAT | Port Forward and WAN rules.

I would appreciate any hint.
 

Port Forward.jpg

WAN Rules.jpg

Share this post


Link to post
1 hour ago, sse450 said:

Many thanks for the help.

Actually, our office people complained about our VOIP as they cannot call outside. In a panic, I had to reverse all the rules I created in this how to.
I would like to re-enable them. But before it, UDP ports 5060, 10000-20000 should be open freely to get a working VOIP. Somehow, the rules in this how to prevented these ports. Following the disble all the steps, VOIP startted working.

Please find below a screenshot from my NAT | Port Forward and WAN rules.

I would appreciate any hint.
 

Port Forward.jpg

WAN Rules.jpg



You're looking at port forward and WAN rules which would control connections initiated from outside your network.  But aren't VoIP services reliant on first creating a connection to a server, therefore no port forwarding is required because the connection is initiated from your network?

I believe that's the case, therefore you need to be looking at your LAN rules.  Something prevented your VoIP devices from creating *outgoing* connections most likely.  Or if VoIP was forced out the VPN interface perhaps the VoIP service blocks connections from VPN servers.

Share this post


Link to post

Thank you for the support.

Attached is the LAN rules after disabling the rules (last three) in this how to. When they were enabled I had disabled the first two Default allow LAN to any rule as per the Step 8 ("You need to disable the existing Default rules"). Now you see them back to enabled after disabling VPN rules.

As far as I understand, disabling the default LAN rules prevents devices on LAN net go out freely without any VPN. I think I need to put a rule at the beginning of the rules for VOIP server (10.10.1.10) as source to allow destination any on WAN. This way VOIP server will act as if there is no VPN. Am I right?

1525294973_Screenshotfrom2024-06-0708-42-12.thumb.png.783363d1b38a2f12cc518a25977ebce7.png

Share this post


Link to post

Update:
I put an exemption rule for VPN_Free alias (composed of PCs to go out without VPN) at top of LAN Rules with all the other steps as described in this How To.

This time, the PCs in VPN_Free alias can not access any DNS server. I think, it needs an exemption for DNS server as well.

Sorry for my dumb questions. I am trying to wrap my head around firewall concept. Your help is much appreciated.


 

Screenshot from 2024-06-07 16-09-40.png

Screenshot from 2024-06-07 16-09-12.jpg

Screenshot from 2024-06-07 16-10-01.jpg

Screenshot from 2024-06-07 16-09-26.png

Share this post


Link to post

Yeah, my setup did not take any of this into consideration. Maybe I should add a warning.

Your issue is, as you mentioned, with the DNS not being available for those clients.
You need to add another rule, that's step 9 in my guide, but you do not need to create an extra alias, you got one already.

Try the following:

  1. Create NAT port forward rule. Firewall → NAT → Port Forward
  2. Click Add
  3. Interface: LAN
  4. TCP/IP Version: IPv4
  5. Protocol: TCP/UDP (DNS traffic is usually UDP, but I thought it's better to do it like this)
  6. Source: VPN_Free
  7. Destination: This Firewall
  8. Destination port range: DNS
  9. Redirect target IP: This Firewall
  10. Redirect target port: DNS
  11. NAT reflection: Disable
  12. Filter rule association: None
make sure this rule sits between the "Anti lockout" and "DNS to VPN" rule in my screenshot.
Let me know what the results are

edit: you could also see if excluding the "VPN_Free" alias from the "DNS to VPN" rule does the trick (instead of adding another rule). Make sure to test if you got DNS leaks in any case.

Share this post


Link to post

Thank you very much for your kind help. It worked.

With a small quirk.

15 hours ago, OPN-UserGuide said:

Redirect target IP: This Firewall 

There is no "This Firewall" option here. Instead I entered IP of the OPNsense (10.10.1.1).
 
15 hours ago, OPN-UserGuide said:

edit: you could also see if excluding the "VPN_Free" alias from the "DNS to VPN" rule does the trick (instead of adding another rule).

I think I should create a new alias as (LAN Net minus VPN_Free) instead of source whole LAN Net. I couldn't find a way to negate an alias within another alias. !VPN_Free is not working, at least I don't know how.

Without finding a way to use !VPN_Free in another alias, it is possible to do it long way as attached.

But, this time, there will be two aliases to maintain. In this case, first option looks more practical unless there is a way to negate an alias.
 

Screenshot from 2024-06-08 12-26-51.png

Share this post


Link to post

Trying to achieve forwarding port 9999 as per Step 10.

1. Created Firewall | Rule | WAN_WG1. Yes, I changed reply-to to  WAN_WG1_GW.
2. Created Firewall | NAT | Port Forward. With NAT reflection: Disable and Filter rule association: None.

Still, AirVPN client area says "No ports open". Probably, I am doing something wrong.

I would appreciate any help. Thank you.

WAN_WG1 Rule.png

NAT Port Forward.png

AirVPN port forward.png

Share this post


Link to post

This looks fine to me.

You need to have a service running on that port on client 192.168.2.10 btw to make the test work (imho).
You can also enable logging and check the logs during the test.

Share this post


Link to post
On 6/10/2024 at 9:48 PM, sse450 said:

Trying to achieve forwarding port 9999 as per Step 10.

1. Created Firewall | Rule | WAN_WG1. Yes, I changed reply-to to  WAN_WG1_GW.
2. Created Firewall | NAT | Port Forward. With NAT reflection: Disable and Filter rule association: None.

Still, AirVPN client area says "No ports open". Probably, I am doing something wrong.

I would appreciate any help. Thank you.

WAN_WG1 Rule.png

NAT Port Forward.png

AirVPN port forward.png


turn on NAT reflection. 
you only turn it off for redirecting LAN to LAN services on IPs that are directly accessible and thus dont require NAT.

Share this post


Link to post
Posted ... (edited)

This guide did not fully work on OPNsense 24.7.8... Honestly I'm not sure it works at all. There are a few things to add to gateway rules to make it work.

On setting up the Wireguard instance, it is important that if "Disable routes" is checked, it is required that "advanced mode" is selected to enter a Gateway of 10.128.0.1 at the WG instance.

That same IP address of 10.128.0.1 should be used as the IPv4 address of the created Wireguard gateway and should be the same for all configurations for AirVPN.

Also why does this guide repeatedly reference port 1647 and forwarding that port out to WAN when it seems to me that port forwarding to WAN is completely unnecessary and 1647 is just a typo?

 

gateway.JPG

gateway2.JPG

Edited ... by sapincher

Share this post


Link to post
Posted ... (edited)

Also: It took me a while to figure out what was keeping port forwarding from the Wireguard interface to work on OPNsense, so hopefully the following helps somebody.

It turns out that with the default rules created by NAT port forwards on OPNsense, even if you correctly select your WG interface, OPNsense may correctly route through to your local device, but outbound traffic from that device will be sent via the default gateway. This is not useful.

Under Firewall -> NAT -> Port Forward, set up your port forward with your WG interface selected as the "Interface" and disable automatic rule generation and its buggy behavior (pic #1). If you are using a different external port than your internal/local port, this area is where you would add the external port to "Destination port range" and the internal port to "Redirect target port".

Under Firewall -> Rules -> [your_WG_interface], create a new rule with WG as your interface. Select the protocol to enable port range. Set your local device, making sure to change the /24 subnet to /32 to refer to a single specific address. If you are using different external/internal ports, only enter the internal port in this screen. Select the "default" gateway, not the WG interface. Click the "Advanced features" "Show/Hide" button to enable fixing the buggy behavior: clicking the "allow options" checkbox and setting the reply-to gateway as your WG gateway. Which, again, is 10.128.0.1 (pic #2).

You would think that, obviously, setting the gateway here to the WG interface instead of "default" would mean outbound traffic would be routed through that specific gateway. But you'd be wrong, and I don't know why.

You port forward exclusively with the WG interface and do not need to do anything with WAN, as you are using the WG gateway for internet and not WAN. So port forwarding with AirVPN works even if your ISP allots you an internal IP address for your WAN connection.
 

pic1.JPG

pic2.jpg

Edited ... by sapincher

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...