OPNsense Route to Egress Gateway
# wireguarda
ambitious-crayon-2415
01/27/2023, 9:18 PMCurious how others have a PFsense/OPNsense to egress gateway setup. I'm having problems with http traffic getting lost. Followed https://docs.opnsense.org/manual/how-tos/wireguard-client.html to route a subnet over the tunnel (which works), but
apt updateambitious-crayon-2415
01/27/2023, 9:27 PMConfig on NM server
Copy code
[Interface]
PrivateKey = REDACTED
ListenPort = 51821
Address = 10.65.65.2
PostUp = `iptables -A FORWARD -i nm-personal -j ACCEPT ; iptables -A FORWARD -o nm-personal -j ACCEPT ; iptables -t nat -A POSTROUTING -o nm-personal -j MASQUERADE ;`
PostDown = `iptables -D FORWARD -i nm-personal -j ACCEPT ; iptables -D FORWARD -o nm-personal -j ACCEPT ; iptables -t nat -D POSTROUTING -o nm-personal -j MASQUERADE ;`
MTU = 1280
[Peer]
PublicKey = REDACTED
AllowedIps = 10.65.65.1/32, 192.168.25.0/24 Copy code
[Interface]
Address = 10.65.65.1/32
PrivateKey = REDACTED
MTU = 1280
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0
Endpoint = nmserver:51821
PersistentKeepalive = 20b
bored-island-21407
01/27/2023, 9:29 PMapt update won't be using the wireguard network, it will be going over your default gateway
a
ambitious-crayon-2415
01/27/2023, 9:30 PMSorry, forgot to update OPNsense config. I have allowedIPs set to 0.0.0.0/0. Policy based routing setup for a subnet with the gateway (10.65.65.2).
ambitious-crayon-2415
01/27/2023, 9:32 PMCertain HTTP requests work fine.
curl icanhazip.comb
bored-island-21407
01/27/2023, 9:32 PMok, that is a different situation
bored-island-21407
01/27/2023, 9:33 PMis apt update using ipv6 by any chance?
a
ambitious-crayon-2415
01/27/2023, 9:33 PMI've read that MTU can affect certain traffic. I have 1280 set on the wg interface in opnsense.
ambitious-crayon-2415
01/27/2023, 9:33 PMDon't have ipv6 setup, so I haven't tried.
b
bored-island-21407
01/27/2023, 9:35 PMI do not see anything wrong with the config
bored-island-21407
01/27/2023, 9:38 PMthe only suggestion I have is to not use the netcmaker container as the egress(internet gateway)... instead, install netclient on the netmaker server and use that node as the gateway.
bored-island-21407
01/27/2023, 9:38 PMremoves any issues with docker networking
a
ambitious-crayon-2415
01/27/2023, 9:39 PMI'll give it a try.
ambitious-crayon-2415
01/31/2023, 7:17 PMNo dice.
My network is a bit confusing, so I made a diagram. I have a server out in my garage to run my lab. It's connected to my house network through a wireless bridge. Lab has a separate opnsense router running in a VM just so local lab traffic doesn't have to route back through the APs.
There's no NAT setup on the lab router. VLAN IDs are setup on switches and home opnsense, and a static route pointing my lab subnets (10.100.0.0/16) to lab opnsense. Preferably would like to have Netmaker as the single NAT gateway for the lab so no lab traffic comes out from my home IP.
OPNsense has policy based routing setup for 10.100.0.0/16 to route internet bound traffic to the Netmaker gateway. Which works for certain traffic. But http is getting caught up. Which makes me think an MTU issue. I've heard of others having issues and having to do mss clamping with wireguard. Just not sure where the problem is.
ambitious-crayon-2415
01/31/2023, 9:14 PMResolved
Setup mss clamping iptables on the egress (VPN server) end.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu