WireGuard with Captive Portal: does not push authentication request
-
Hello community,
I just installed the WireGuard plugin and configured the server and a (road warrior) client peer. I got it up and running and configured an outbound NAT as well. Everything works fine so far.
I decided to configure a Captive Portal as well so that the user on the client need to authenticate themself to add a layer of security as WireGuard does not offer that innately. And i found an article that says that it is possible in OPNsense. I followed the steps and created the interface and set up the captive portal. But it seems that the captive portal is not working in that scenario. No Login-page is sent to the client and internet as well as internal addresses are still accessible. Captive Portal was set to authenticate against a local database and bound to the WireGuard interface.
Does someone already use WireGuard in combination with Captive Portal on pfSense or has any idea why this isn't working?
further informations and configs:
pfSense- CE 2.5.2-RELEASE
- WireGuard 0.1.5_3
- the wireguard interface has the
10.20.7.1
Exported server config:
# Description: WireGuard-VPN [Interface] PrivateKey = <hidden> ListenPort = 51820 # Peer: Client01 [Peer] PublicKey = <hidden> AllowedIPs = 10.20.7.2/32Client01
- Ubuntu 20.04.3 LTS
- wireguard 1.0.20200513-1~20.04.2
- WireGuard started with
wg-quick up wg0.conf
Client config
[Interface] Address = 10.20.7.2/32 PrivateKey = <hidden> DNS = 10.20.7.1 MTU = 1412 PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu [Peer] PublicKey = <hidden> AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <hidden>:51820 -
I got around to trying this recently after upgrading to 2.60. Tested with Freeradius module and local database. I could get to the captive portal login page while connected via WG but it would not pass traffic once authenticated.
When authenticating against radius the logs show an error message about not having a mac address which I figure is because WG is layer 3 only. So I checked disable MAC filtering in the radius options which allowed it to successfully authenticate but still would not pass traffic.
I was only able to access the webgui whether authenticated or not when connected via WG.
-
@nycspud thanks for your reply.
In the meantime I found some misconceptions and why it would or wether should not work.
WireGuard works with predefined IP-Addresses on host and server but as far as i understood the Captive Portal as described in RFC 7710 works with special fields in DHCP offer to send the host of the captive portal to the client. The Client interprets these fields and tells the user that this network requires authentication.
I then proceeded to build my own wireguard-server with web-based authentication service with saml2 and iptables to allow connections after successful login.
-
@mcr19 Can you share the steps for this as I too would like some kind of authentication for wireguard users.
@mcr19 said in WireGuard with Captive Portal: does not push authentication request:
I then proceeded to build my own wireguard-server with web-based authentication service with saml2 and iptables to allow connections after successful login.