I tried debugging this issue for hours now but I’m out of ideas. I’m running WireGuard on my OPNsense firewall. It worked flawlessly for about a year but now I’ve gotten a really strange issue.

Here is the Client config: Client

As you can see, the Client got assigned the IP 10.10.10.11/32

I can ping this IP and the Client can access all Server in the network when connected with the VPN.

BUT when it connects to hosts in the LAN, it doesn’t use it’s assigned 10.10.10.11 IP but the public IP of the OPNsense firewall instead.

This also doesn’t happen every time, but most of the time. I assume that it’s perhaps a ARP issue, but I don’t know why the OPNsense firewall sends its public IP (WireGuard Endpoint IP) instead of the Clients assigned IP at all.

The IP the Client should use in the LAN (virtual VPN IP): virtual IP

The IP which the Client actually uses (Endpoint IP): Endpint IP

Every help would be greatly appreciated!


EDIT: I removed and re-added the peers in OPNsense and it works again, at least for now. Maybe something broke during an update(?). I will report back if this already fixed the issue (the problem can sometimes be hard to replicate)

EDIT 2: The issue reappeared. But I noticed, that I now have the problem only with Gecko based browsers, chromium works fine (tested on Android).

EDIT 3: The issue only appeared with Gecko based browsers because mine are configured to use some public DOH DNS, which resolved my internal host FQDNs to public IPs, not private ones from the LAN

  • @WhyYesZoidberg
    link
    English
    6
    edit-2
    11 months ago

    None of the images in your post loads for me fyi using Voyager

    • CaptainBlagbird
      link
      English
      311 months ago

      Yeah they’re broken, the domain name says *removed* instead.

      • @[email protected]OP
        link
        fedilink
        English
        0
        edit-2
        11 months ago

        Can you at least access the direct links? The images are displayed correctly for me on Jerboa and lemmy web ui

        https://removed/F4FjQNR/Screenshot-20231229-204929-Wire-Guard.png

        https://removed/yPPHZrp/Screenshot-20231229-204929-Wire-Guard.png

        https://removed/Xz0JdfM/Screenshot-20231229-204929-Wire-Guard.png

      • CaptainBlagbird
        link
        English
        311 months ago

        I guess there’s a filter that automatically replaces that site with removed…

  • stown
    link
    fedilink
    English
    211 months ago

    Change your allowed IPs config to 0.0.0.0/0

    • @[email protected]OP
      link
      fedilink
      English
      211 months ago

      Wouldn’t this tunnel everything? I just want 10.10.10.0/24 and 10.0.0.0/24 (VPN and LAN IP range to get tunneled). I also don’t know how this would mitigate this issue

    • @[email protected]OP
      link
      fedilink
      English
      111 months ago

      Thanks for the pointer, it seems it’s an DNS issue after all (IT’S ALWAYS DNS). Routing all traffic through the tunnel forces the Clients to use the DNS server of the LAN. Without, my internal websites (which use a public domain namespace) are sometimes resolved with a public DNS. So the browser doesn’t request test.home.network (10.0.0.100) but test.home.network (1.19.72.59).

      • stown
        link
        fedilink
        English
        111 months ago

        Glad you figured it out. I’ve also run into issues with Firefox using the wrong DNS.

  • @[email protected]B
    link
    fedilink
    English
    2
    edit-2
    11 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    VPN Virtual Private Network

    3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

    [Thread #388 for this sub, first seen 30th Dec 2023, 11:55] [FAQ] [Full list] [Contact] [Source code]