• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WireGuard with Captive Portal: does not push authentication request

Scheduled Pinned Locked Moved WireGuard
5 Posts 4 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcr19
    last edited by Jan 31, 2022, 3:19 PM

    Hello community,

    I just installed the WireGuard plugin and configured the server and a (road warrior) client peer. I got it up and running and configured an outbound NAT as well. Everything works fine so far.

    I decided to configure a Captive Portal as well so that the user on the client need to authenticate themself to add a layer of security as WireGuard does not offer that innately. And i found an article that says that it is possible in OPNsense. I followed the steps and created the interface and set up the captive portal. But it seems that the captive portal is not working in that scenario. No Login-page is sent to the client and internet as well as internal addresses are still accessible. Captive Portal was set to authenticate against a local database and bound to the WireGuard interface.

    Does someone already use WireGuard in combination with Captive Portal on pfSense or has any idea why this isn't working?

    further informations and configs:
    pfSense

    • CE 2.5.2-RELEASE
    • WireGuard 0.1.5_3
    • the wireguard interface has the 10.20.7.1

    Exported server config:

    # Description: WireGuard-VPN
    [Interface]
    PrivateKey = <hidden>
    ListenPort = 51820
    
    # Peer: Client01
    [Peer]
    PublicKey = <hidden>
    AllowedIPs = 10.20.7.2/32
    

    Client01

    • Ubuntu 20.04.3 LTS
    • wireguard 1.0.20200513-1~20.04.2
    • WireGuard started with wg-quick up wg0.conf

    Client config

    [Interface]
    Address = 10.20.7.2/32
    PrivateKey = <hidden>
    DNS = 10.20.7.1
    MTU = 1412
    PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    
    [Peer]
    PublicKey = <hidden>
    AllowedIPs = 0.0.0.0/0, ::/0
    Endpoint = <hidden>:51820
    
    1 Reply Last reply Reply Quote 0
    • N
      nycspud
      last edited by Jul 27, 2022, 9:05 PM

      I got around to trying this recently after upgrading to 2.60. Tested with Freeradius module and local database. I could get to the captive portal login page while connected via WG but it would not pass traffic once authenticated.

      When authenticating against radius the logs show an error message about not having a mac address which I figure is because WG is layer 3 only. So I checked disable MAC filtering in the radius options which allowed it to successfully authenticate but still would not pass traffic.

      I was only able to access the webgui whether authenticated or not when connected via WG.

      M 1 Reply Last reply Aug 26, 2022, 7:59 AM Reply Quote 0
      • M
        mcr19 @nycspud
        last edited by Aug 26, 2022, 7:59 AM

        @nycspud thanks for your reply.

        In the meantime I found some misconceptions and why it would or wether should not work.

        WireGuard works with predefined IP-Addresses on host and server but as far as i understood the Captive Portal as described in RFC 7710 works with special fields in DHCP offer to send the host of the captive portal to the client. The Client interprets these fields and tells the user that this network requires authentication.

        I then proceeded to build my own wireguard-server with web-based authentication service with saml2 and iptables to allow connections after successful login.

        D J 2 Replies Last reply Sep 3, 2022, 5:55 PM Reply Quote 1
        • D
          Darkk @mcr19
          last edited by Sep 3, 2022, 5:55 PM

          @mcr19 Can you share the steps for this as I too would like some kind of authentication for wireguard users.

          @mcr19 said in WireGuard with Captive Portal: does not push authentication request:

          I then proceeded to build my own wireguard-server with web-based authentication service with saml2 and iptables to allow connections after successful login.

          1 Reply Last reply Reply Quote 0
          • J
            joetaber @mcr19
            last edited by joetaber Mar 31, 2025, 1:32 PM Mar 31, 2025, 1:26 PM

            It's been a while since the last post; this thread is one of a handful of claims of anyone using this design -- where connected wireguard clients are firewalled until they pass a web authentication service -- that I could find anywhere on the internet. So I have some questions:
              
            @mcr19 said:

            WireGuard works with predefined IP-Addresses on host and server but as far as i understood the Captive Portal as described in RFC 7710 works with special fields in DHCP

            This seems to imply that the RFC 7710 captive portal system just fundamentally won't work for wireguard peers. So how did you overcome this issue for clients? Do they just have to remember to open the auth portal manually after connecting wireguard?

            I then proceeded to build my own wireguard-server with web-based authentication service with saml2 and iptables to allow connections after successful login.

            Can you say more about how this design was implemented? How has it worked for you over the last 2-3 years?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received