WireGuard-Server (OPNsense) - Client connections in the same network

Helloooo :wave:

I have some problems with the connection to wireguard within my network at the moment and have been fighting against it for about three days.

I have an OpenWrt router, which is the main connection to the Internet. I have set up 2 vlans - one for guests and other things and the second vlan for personal use.

In the sec vlan there is only one port and one WLAN available, which is for a server with proxmox (port) and other devices(WLAN). A VM of proxmox is an OPNsense firewall. I have set it up a WireGuard server in OPNsense. From outside the network I can easily connect to this server and reach all other VMs/LANs. No problems there.
Since I only have physical access to OPNsense, I also want to access the OPNsense server in my OpenWrt network only with WireGuard. And unfortunately this does not work.

I think I need to redirect the vpn.domain.com to the IP or something. Which would be the OpenWrt WAN IP. But I'm not 100% sure.

Here is a kind of networkmap of it. It lists atm a connection from vlan2 to OPNsense-LAN. Which I also tried. But I prefer to use the VPN solution.
I hope that I can get help to finally solve this mystery.

Thanks
Dan

192.168.50.128

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#domains

I'm sorry, I don't understand that really :confused:

Rebind your VPN domain with OPNsense WAN IP.

I tried that but it doesn't work.

Post the output:

# OpenWrt
uci show dhcp; nslookup vpn.domain.com 127.0.0.1

# Client
nslookup vpn.domain.com

uci show dhcp

config domain
        option name 'vpn.domain.com'
        option ip '192.168.50.128'

nslookup vpn.domain.com 127.0.0.53 (dnscrypt)

Server:         127.0.0.53
Address:        127.0.0.53#53

Name:      vpn.domain.com
Address 1: 192.168.50.128
*** Can't find vpn.domain.com: No answer

Client

nslookup vpn.domain.com

Server:         192.168.50.1
Address:        192.168.50.1#53

Name:   vpn.domain.com
Address: 192.168.50.128
1 Like

Try to establish the VPN connection and check from both client and server:

wg show

I can still only connect from outside of my network.

Server:         8.8.8.8
Address:        8.8.8.8#53

Name:   vpn.domain.com
Address: openwrt-wan IP

It's a bit strange, when I check my dns leaks, I get my dnscrypt dns server listed. Why is Google's dns server shown there now?

Edit:
Just read that it is because of Termux. It does not use Android's default nameserver. Good to know.

traceroute hits only the gateway/dns of openwrt.
traceroute extern, no problem, if I don't change vpn.domain.com to OPNsense-WAN/IP. If I change it I can't reach from extern as well.

Router - Without hostname change:

traceroute to vpn.domain.com (openwrt-WAN-IP), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
...

Router - With hostname change:

traceroute to vpn.domain.com (opnsense-wan 192.168.50.128), 30 hops max, 38 byte packets
 1  *  *  *
 2  *  *  *
...

Laptop connected to router - Without hostn. change:

traceroute to vpn.domain.com (openwrt-WAN-IP), 30 hops max, 60 byte packets
 1  _gateway (192.168.50.1)  1.007 ms  1.038 ms  1.133 ms
 2  * * *
...

Laptop connected to router - With hostn. change:

traceroute to vpn.domain.com (opnsense-wan 192.168.50.128), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
...

Laptop connected to OPNsense - Without and with hostn. changes:

traceroute to vpn.domain.com (openwrt-WAN-IP), 30 hops max, 60 byte packets
 1  _gateway (192.168.100.1)  0.708 ms  0.631 ms  0.578 ms
 2  ISP (openwrt-WAN-IP)  1.213 ms  1.201 ms  1.177 ms

So, yeah. At least the direct connection to opnsense and from there seems to work. Which obviously makes no sense :triumph:

It looks like a problem with OPNsense firewall on the WAN interface.
By default, traceroute relies on UDP queries and ICMP replies.

1 Like

Why my posts are hidden? o_O

So, I figured a few things out. First block was my phone itself because of AfWall+ (I hadn't allowed [VPN-Network]. What worked before without, but must be set for the internal connection). I'm sorry, I completely forgot about this firewall... :confused: No need to change the hostname in vpn.domain.com.

I also "moved" another VM with Wireguard in front of opnsense and it works until that point.
Now I hit the firewall of opnsense. So my guess is to allow VLAN2 or at least the devices to WAN or WireGuard interface?

Edit:
Another step forward:
I have disabled 'Block Private Networks' on the OPNsense-WAN interface (any other suggestions?). This allows me to connect to the Wireguard server. But I cannot reach the LAN there. I can reach the LAN via external connection.

Edit 2:
It's strange... I disabled the firewall on 2 laptops to test the wireguard-connection there. It works (with and without firewall enabled), but I can't reach the OPNsense GUI (192.168.100.1) and using the internet on these devices. But I can reach the GUI and internet by phone (same network - VLAN2). But all devices cannot reach any other VM which is 192.168.100.10. This is really confusing.

I just want to leave a note here. That works somehow. With wireguard it doesn't really work, but with openvpn it does.
Maybe I need to change something with wireguard interface or on my devices. I'll look into it and probably come back here in the future to mark it as a solution.

Thanks @vgaetera for your help.

1 Like