From time to Time, on a random day, you are bored. You open TH-cam and a random guy shows up and Just ANSWERS YOUR PRAYERS. Awesome!!! Awesome!!! Thanks so much for this insight!
What's the best way to prevent DNS leaks when using PI-Hole on LAN w/Upstream DNS to OPNSense (Unbound)? I am using MVD as well as a VPN provider. While on VPN, my WAN IP is exposed per the DNS leak test sites.
OPNsense tutorial about vxlan over wireguard would be awesome. There is literally no decent tutorial about it out there. I have a use-case where windows clients must be able to hear L2 broadcast traffic (from FlexRadio SDR's) from a remote lan, where OPNsense is doing firewalling. People typically use ZeroTier or SoftEther for that, but I feel like wireguard + vxlan would be so much "cleaner", faster/lower latency, predictable and maintainable solution.
For your use case you might be able to save money doing vxlan with Mikrotik gear, if you can get away with 100M only (instead of Gigabit) they have an older model for $39 that can do VPNs and vxlan. Vxlan is pretty interoperable between vendors (at least unicast vxlan), so using those for remote sites and OPNsense for your core site could definitely be a thing.
thanks for great content. I'm setup opnsense for my gw and kind of curious about crowdsec and nginx WAF reverse proxy plugin in OPNsense. I'd appreciate so much if you have content on this topic. Thank youuuu
Same as with v4, our own address off by 1. Gateway field is normally used to resolve the MAC address of the next hop, but since Wireguard is a purely layer 3 protocol, there is no MAC. So we really just need *something*.
I dont quite get how you can route site to site whilst you dont have phisical connection to your network.. I was always under the impression that vpns are just software that encrypt the data but they are still sending it via the normal (worldwide) routes ...
How can I setup vlans that use different openvpn or wireguard clients? I want tagged VMs to be able to be specific vpns. With a direct connection from proxmox to bare metal opnsense ETH port for VMs. Thanks!
In the ClientAccess configuration, why did you use a public routable IPv6 address for the tunnel? Is this going to leak some data outside the tunnel if the WG server - for some reason - goes offline? Thanks
For IPv6, we need a publicly routable address from the VPN server's allocation. The global internet will route all of those packets back to the VPN server, so if the client tries to send a packet from another location using the address in the VPN server's prefix, it will end up coming back to the VPN server and not wherever the phone is now. Many networks will also drop packets that don't come from their address ranges (spoofed source address).
I thought that both of the tunnel endpoints of a VPN connection have to be in the non-public routable address space like, for example, 192.168.10.10/24 (tunnel endpoint A) 192.168.10.11/24 (tunnel endpoint B) like in the IPv4 world scenario; I never imagined that the tunnel itself could be a public routable network. I suppose I have to learn IPv6 better :)@@apalrdsadventures
I never encountered a WG or OpenVPN setup with the tunnel set to a public routable IP address(s); all the documentations say that it should be a private (like RFC 1918) address. @@apalrdsadventures
I assume their documentation is just indicating you shouldn't use an IP block you don't own (like a lot of ISPs use 6/8 for CGNAT for various reasons).
yes, you can add a policy route on LAN with a destination of 'not LAN net' and all clients on that net will route over the VPN. For Unbound you'd need to set the outgoing interface as the WG IF.
I have followed all your steps but can't get the phase 2 showed up. Any idea where should I look at? Both site showing the same log information Site A = Informational charon 04[NET] error writing to socket: Can't assign requested address Site B = Informational charon 03[NET] error writing to socket: Can't assign requested address Thank you.
Hi there. I'm behind a cgnat and my isp is not letting me open ports. How can i remote access my home server in the best way possible? I've used tailscale and it works great but i want to share my jellyfin among friends who aren't gonna wanna install tailscale. Can u suggest a better way?
Are they gonna want to install anything else? In general, one side of the tunnel needs to be publicly accessible, and the closed side needs to be the one to initiate the connection. If neither side is open, then you need a relay. Tailscale runs relays for their network. Nebula is the option I use (it's significantly faster than Tailscale and doesn't have the same points of failure as Tailscale / Headscale). But in any case the user is installing something. If they really don't want to install anything, then a cloudflare tunnel might be the answer. Or you could run a relay VPS to tunnel traffic.
@@apalrdsadventures I struggle to setup a relay VPS to tunnel trafic. Will see if your great explanations give me enough info to setup such a relay! Keep em up, I really enjoy your videos!
@@apalrdsadventuresi don't think they'll install anything. I tried cloudflare tunnel but i wasn't able to playback a high res movie through it. It had a bitrate of about 50mbps. Then i tried relay using vps and it's working great so far. I can play that movie on it with just slight buffering sometimes. Tailscale was insane for me in this regard though. I could play that movie on three devices simultaneously and then some without any buffering whatsoever. Maybe the bottleneck is my cloud vps server. I opted for a free tier oracle cloud compute with gives 1gb ram and 1micro cpu with .49gbps network bandwidth
Tailscale will *try* to go direct using their NAT traversal protocol (which is part of why they can't use the Wireguard kernel module), so if it's able to do that it should be pretty fast (at the cost of the CPU usage of doing Wireguard in Go in userspace). VPS could also be limited by the CPU to encrypt/decrypt. I did find that my small VPS I used for testing could not handle a lot. You could also do a layer 4 proxy VPS + IPv6 home if you have v6 at home, then at least most cellular clients will get v6 and go direct.
Yeah, if only we used IPv6 where all addresses were public and we just needed to deal with security over the internet and not routing. This is what IPSec was originally designed for (Transport Mode).
It was almost impossible to follow. OpenVPN - every time I kept trying to fill in the instance, you kept jumping to little detours, meaning I had to come and and start from scratch etc. Really difficult to understand and follow. Also the cuts made it impossible to follow what screen you were on as you didn't introduce it - just cut to another page on the web gui without warning. Maybe you could consider making another video with a little more planning, so it makes it easier for idiots like me to follow?
Hi Bro, Need your help. I have openvpn server with split tunnel configured on pfsense & use this VPN to connect to my work environment Currently I have a Ubuntu 18.04 laptop on which VPN client is configured, after connecting from this VPN, the internet on this system gets disconnected but I can connect to remote system I want internet to be working on my base system as well. There are a few paramenters in the confg file given below route-nopull route 192.168.10.62 255.255.255.255 Can you please help me step by step how to fix this. Kindly help. Thanks & regards,
![[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)](http://i.ytimg.com/vi/b58PpuIsQ3A/mqdefault.jpg)
From time to Time, on a random day, you are bored. You open TH-cam and a random guy shows up and Just ANSWERS YOUR PRAYERS. Awesome!!! Awesome!!! Thanks so much for this insight!
Amazing,
I would like to see next video about DNS, maybe using adguard or pi-hole, or just some sort of dns filter inside unbound on opnsense
It's on the list, I'll give it a vote for you
If its too short, include something that assigns local DNS hostnames dynamicly
Logged in just to say thank you!
Greatly appreciated, I am now subscribed 😊
Still the best OPNsense video
Amazing video! Thanks for clarifying things.
I've been waiting for this!
Get your snacks ready.
Where does the home key come from at 57:15?
I love your videos but i can't work with ipv6 in my head yet. Any recommendations on what do use or not to use when setting up VPN with ipv4?
What's the best way to prevent DNS leaks when using PI-Hole on LAN w/Upstream DNS to OPNSense (Unbound)? I am using MVD as well as a VPN provider. While on VPN, my WAN IP is exposed per the DNS leak test sites.
how about XRAY/vless/vmess/reality?
OPNsense tutorial about vxlan over wireguard would be awesome. There is literally no decent tutorial about it out there. I have a use-case where windows clients must be able to hear L2 broadcast traffic (from FlexRadio SDR's) from a remote lan, where OPNsense is doing firewalling. People typically use ZeroTier or SoftEther for that, but I feel like wireguard + vxlan would be so much "cleaner", faster/lower latency, predictable and maintainable solution.
For your use case you might be able to save money doing vxlan with Mikrotik gear, if you can get away with 100M only (instead of Gigabit) they have an older model for $39 that can do VPNs and vxlan.
Vxlan is pretty interoperable between vendors (at least unicast vxlan), so using those for remote sites and OPNsense for your core site could definitely be a thing.
Amazing, thanks for sharing!
thanks for great content. I'm setup opnsense for my gw and kind of curious about crowdsec and nginx WAF reverse proxy plugin in OPNsense. I'd appreciate so much if you have content on this topic. Thank youuuu
What is the gateway IPv6 adress in your example? 32:33
Same as with v4, our own address off by 1.
Gateway field is normally used to resolve the MAC address of the next hop, but since Wireguard is a purely layer 3 protocol, there is no MAC. So we really just need *something*.
I dont quite get how you can route site to site whilst you dont have phisical connection to your network..
I was always under the impression that vpns are just software that encrypt the data but they are still sending it via the normal (worldwide) routes ...
How can I setup vlans that use different openvpn or wireguard clients? I want tagged VMs to be able to be specific vpns. With a direct connection from proxmox to bare metal opnsense ETH port for VMs. Thanks!
They must have Stockholm in Switzerland... somewhere... for sure ;-)
Just like there are kangaroos in Austria
In the ClientAccess configuration, why did you use a public routable IPv6 address for the tunnel? Is this going to leak some data outside the tunnel if the WG server - for some reason - goes offline? Thanks
For IPv6, we need a publicly routable address from the VPN server's allocation. The global internet will route all of those packets back to the VPN server, so if the client tries to send a packet from another location using the address in the VPN server's prefix, it will end up coming back to the VPN server and not wherever the phone is now. Many networks will also drop packets that don't come from their address ranges (spoofed source address).
I thought that both of the tunnel endpoints of a VPN connection have to be in the non-public routable address space like, for example, 192.168.10.10/24 (tunnel endpoint A) 192.168.10.11/24 (tunnel endpoint B) like in the IPv4 world scenario; I never imagined that the tunnel itself could be a public routable network. I suppose I have to learn IPv6 better :)@@apalrdsadventures
You can do it in IPv4 as well if you can afford the cost of the public IPs, it's just rarely done for that reason
I never encountered a WG or OpenVPN setup with the tunnel set to a public routable IP address(s); all the documentations say that it should be a private (like RFC 1918) address. @@apalrdsadventures
I assume their documentation is just indicating you shouldn't use an IP block you don't own (like a lot of ISPs use 6/8 for CGNAT for various reasons).
After setting up the ServerAccess type of VPN, things did not go well on the clients.
Can you do a review/how to of the IPFire OS?
Could Opnsense route everything through a Wireguard VPN provider including recursive DNS with Unbound?
yes, you can add a policy route on LAN with a destination of 'not LAN net' and all clients on that net will route over the VPN.
For Unbound you'd need to set the outgoing interface as the WG IF.
I have followed all your steps but can't get the phase 2 showed up. Any idea where should I look at? Both site showing the same log information
Site A = Informational charon 04[NET] error writing to socket: Can't assign requested address
Site B = Informational charon 03[NET] error writing to socket: Can't assign requested address
Thank you.
well Charon is mad about one of your address configs somewhere. Honestly debugging this issue is a nightmare.
@@apalrdsadventures alright, thanks will take a look at it. 👍👍👍
Learned a lot. Ty
You got finesse bro..
Hi there. I'm behind a cgnat and my isp is not letting me open ports. How can i remote access my home server in the best way possible? I've used tailscale and it works great but i want to share my jellyfin among friends who aren't gonna wanna install tailscale. Can u suggest a better way?
Are they gonna want to install anything else?
In general, one side of the tunnel needs to be publicly accessible, and the closed side needs to be the one to initiate the connection. If neither side is open, then you need a relay. Tailscale runs relays for their network. Nebula is the option I use (it's significantly faster than Tailscale and doesn't have the same points of failure as Tailscale / Headscale). But in any case the user is installing something.
If they really don't want to install anything, then a cloudflare tunnel might be the answer. Or you could run a relay VPS to tunnel traffic.
@@apalrdsadventures I struggle to setup a relay VPS to tunnel trafic. Will see if your great explanations give me enough info to setup such a relay! Keep em up, I really enjoy your videos!
@@apalrdsadventuresi don't think they'll install anything. I tried cloudflare tunnel but i wasn't able to playback a high res movie through it. It had a bitrate of about 50mbps. Then i tried relay using vps and it's working great so far. I can play that movie on it with just slight buffering sometimes. Tailscale was insane for me in this regard though. I could play that movie on three devices simultaneously and then some without any buffering whatsoever. Maybe the bottleneck is my cloud vps server. I opted for a free tier oracle cloud compute with gives 1gb ram and 1micro cpu with .49gbps network bandwidth
Tailscale will *try* to go direct using their NAT traversal protocol (which is part of why they can't use the Wireguard kernel module), so if it's able to do that it should be pretty fast (at the cost of the CPU usage of doing Wireguard in Go in userspace).
VPS could also be limited by the CPU to encrypt/decrypt. I did find that my small VPS I used for testing could not handle a lot.
You could also do a layer 4 proxy VPS + IPv6 home if you have v6 at home, then at least most cellular clients will get v6 and go direct.
@@apalrdsadventures Cool. I'll look into it. Thankyou for your valuable insights as always.
Can you do opnsense vlans next?
The Internet is kinda like the movie Inception when it comes to networks.... It's a network of networks of networks of networks of networks ...... :P
Yeah, if only we used IPv6 where all addresses were public and we just needed to deal with security over the internet and not routing. This is what IPSec was originally designed for (Transport Mode).
@@apalrdsadventures maybe in 50 years, but we will probably still be dealing with ipv4 😭
I used to use wireguard but switched to ocserv.
It was almost impossible to follow. OpenVPN - every time I kept trying to fill in the instance, you kept jumping to little detours, meaning I had to come and and start from scratch etc. Really difficult to understand and follow. Also the cuts made it impossible to follow what screen you were on as you didn't introduce it - just cut to another page on the web gui without warning. Maybe you could consider making another video with a little more planning, so it makes it easier for idiots like me to follow?
Thank you!
Top👍👍👍👍👍
+1
Man you go realy fast and skip over the screens makes it hard to follow along I keep having to rewind over and over
56:42..
TLDR.. ;-))
I think that describes IPSec very well
Hi Bro,
Need your help. I have openvpn server with split tunnel configured on pfsense & use this VPN to connect to my work environment
Currently I have a Ubuntu 18.04 laptop on which VPN client is configured, after connecting from this VPN, the internet on this system gets disconnected but I can connect to remote system
I want internet to be working on my base system as well. There are a few paramenters in the confg file given below
route-nopull
route 192.168.10.62 255.255.255.255
Can you please help me step by step how to fix this. Kindly help.
Thanks & regards,