brimble.com

User Tools

Site Tools

Trace:
equipment:fw4c_opnsense

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
equipment:fw4c_opnsense [2023/11/20 16:41] dirkequipment:fw4c_opnsense [2023/11/25 09:46] (current) – [Wireguard VPN] dirk
Line 9: Line 9:
   * login as 'installer' with password 'opnsense'   * login as 'installer' with password 'opnsense'
   * select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.   * select keyboard layout, Install (UFS), select harddrive, ok on swap, change password, reboot without USB plugged in.
 +
 +Link: https://www.youtube.com/watch?v=_IzyJTcnPu8
 ===== Connect ===== ===== Connect =====
   * plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1   * plug into the LAN port (see below note for the FW4C) and navigate to 192.168.1.1
Line 57: Line 59:
     * Save/Apply     * Save/Apply
   * repeat for other forwarded ports   * repeat for other forwarded ports
-    * Port Forwarding rules if unraid/ Nginx:<code>80      Both  192.168.1.X  180   HTTP tomcat +    * Port Forwarding rules if unraid/ Nginx:<code>80      Both  10.23.79.X  180   HTTP tomcat 
-443     Both  192.168.1.X  1443  HTTPS tomcat +443     Both  10.23.79.X  1443  HTTPS tomcat 
-22      Both  192.168.1.X        SSH brimble</code> +22      Both  10.23.79.X        SSH brimble</code> 
-    * Port Forwarding rules if standalone:<code>80      Both  192.168.1.X  HTTP tomcat +    * Port Forwarding rules if standalone:<code>80      Both  10.23.79.X  HTTP tomcat 
-443     Both  192.168.1.X  HTTPS +443     Both  10.23.79.X  HTTPS 
-22      Both  192.168.1.X  SSH brimble +22      Both  10.23.79.X  SSH brimble 
-32400   Both  192.168.1.X  Plex</code>+32400   Both  10.23.79.X  Plex</code>
   * Hairpin NAT:   * Hairpin NAT:
     * go to Firewall / Settings / Advanced     * go to Firewall / Settings / Advanced
     * Check "Automatic outbound NAT for Reflection"     * Check "Automatic outbound NAT for Reflection"
     * Save / Apply     * Save / Apply
 +
 +==== Wireguard VPN ====
 +=== Create Instance and Peers ===
 +  * go to System / Firmware / Plugins and install os-wireguard
 +  * go to VPN / WireGuard / Settings / Instances
 +  * create new instance by clicking on the "+"
 +    * Enabled: check
 +    * Name: WG1
 +    * click the gear to create a Public/Private key pair
 +      * we will call this public key "MAINPUBLIC" for rest of tutorial
 +    * Listen port: 51820
 +    * Tunnel address: pick a subnet not used elsewhere (10.23.0.1/24)
 +    * Save/Apply
 +  * go to VPN / WireGuard / Settings / General and enable WireGuard
 +  * go to VPN / WireGuard / Settings / Peers
 +  * create new peer by clicking on the "+"
 +    * Enabled: check
 +    * Name: iPhone / Macbook / whatever
 +    * Public key: PEERPUBLIC (put in the key created when you setup the client... see below)
 +    * Allowed IPs: something on the subnet configured above (10.23.0.11/32)
 +    * Instances: select above instance (WG1)
 +    * Save/Apply
 +  * go to VPN / WireGuard / Settings / Instances / Edit WG1
 +    * Add Peers into Peers drop down
 +    * Save/Apply
 +  * go to Lobby / Dashboard and restart wireguard
 +=== Create interface ===
 +  * go to Interfaces / Assignments
 +  * in the drop down under new interface, select the WireGuard instance (wg1)
 +    * Enable: check
 +    * Description: WG1
 +    * Save/Apply
 +  * go to Interfaces / WG1
 +    * Enable: check
 +    * Description: WG1
 +    * Save/Apply
 +=== Create VPN Firewall rules ===
 +  * go to Firewall / Rules / WAN
 +  * create new rule by clicking on the "+"
 +    * Action: Pass
 +    * Quick: check
 +    * Interface: WAN
 +    * Direction: in
 +    * TCP/IP Version: IPv4
 +    * Protocol: UDP
 +    * Source Invert: unchecked
 +    * Source: any
 +    * Destination Invert: unchecked
 +    * Destination: WAN address
 +    * Destination port range: from (other) 51820 to (other) 51820
 +    * Description: allow wireguard inbound
 +    * Save/Apply
 +  * go to Firewall / Rules / [Name of interface assigned above (WG1)]
 +  * create new rule by clicking on the "+"
 +    * Action: Pass
 +    * Quick: check
 +    * Interface: WG1
 +    * Direction: in
 +    * TCP/IP Version: IPv4
 +    * Protocol: any
 +    * Source Invert: unchecked
 +    * Source [Name of interface assigned above NET (WG1 net)]
 +    * Destination Invert: unchecked
 +    * Destination: any
 +    * Destination port range: any
 +    * Save/Apply
 +=== Setup Clients ===
 +  * This will differ based on device... principal is the same.
 +  * iPhone
 +    * Download WireGuard from app store
 +    * create new
 +      * Name: brimble.com
 +      * Generate keypair
 +        * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
 +      * Addresses: This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
 +      * Listen port: Automatic
 +      * MTU: Automatic
 +      * DNS servers: 8.8.8.8, 8.8.4.4
 +      * click Add peer
 +      * Public key: MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
 +      * Preshared key: blank
 +      * Endpoint: the address and port of your server (brimble.com:51820)
 +      * Allowed IPs: 0.0.0.0/0
 +      * Save
 +  * macbook
 +    * Downlaod WireGuard from app store
 +    * create new
 +      * Name: brimble.com
 +      * This public key (PEERPUBLIC) will go in VPN / WireGuard / Settings / Peers / Public key box
 +      * <code>[Interface]
 +PrivateKey = whatever is there
 +Address = This will be whatever you put in the Allowed IPs box of VPN / WireGuard / Settings / Peers (10.23.0.11/32)
 +DNS = 8.8.8.8, 8.8.4.4
 +
 +[Peer]
 +PublicKey = MAINPUBLIC this will be in VPN / WireGuard / Settings / Instances / Public key box
 +AllowedIPs = 0.0.0.0/0
 +Endpoint = the address and port of your server (brimble.com:51820)
 +</code>
 +  * Save
 +Link: https://docs.opnsense.org/manual/how-tos/wireguard-client.html
 +==== NAT for online gaming ====
 +  * go to Firewall / Aliases
 +    * create new alias by clicking on the "+"
 +    * Enabled: check
 +    * Name: NintendoSwitch
 +    * Type: Host(s)
 +    * Content: IP address of Switch
 +    * Save/Apply
 +  * go to Firewall / NAT / Outbound
 +    * change mode to Hybrid so you can add manual rule
 +    * create new rule by clicking on the "+"
 +    * Interface: WAN
 +    * Protocol: any
 +    * Source address: NintendoSwitch
 +    * Static-port: check
 +    * Give it a description
 +    * Save/Apply
 +
 +Link: https://tyzbit.blog/getting-a-b-nat-type-on-the-nintendo-switch-using-opnsense
  
 ==== Services ==== ==== Services ====
Line 75: Line 197:
     * Save Apply     * Save Apply
     * Static MAC/IP Mapping<code>brimNAS          10.23.79.4     * Static MAC/IP Mapping<code>brimNAS          10.23.79.4
-BrimUpstairsAP     10.23.79.5+BrimUpstairsAP   10.23.79.5
 BrimDownstairsAP 10.23.79.6 BrimDownstairsAP 10.23.79.6
  
equipment/fw4c_opnsense.1700520069.txt.gz · Last modified: by dirk

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki