OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: MikeyMike on September 10, 2021, 10:14:56 am

Title: Wireguard to IPSEC via Outbound SNAT not working
Post by: MikeyMike on September 10, 2021, 10:14:56 am

Hi,

i have a problem and can´t find any solutions or my network skills are too bad to get it working.

My Problem is i can´t reach a IPSEC IP-Range via Wireguard with Oubound NAT via Translation / target "LAN".
The source natting with static port is needed because only the LAN IP-Range is allowed to pass the IPSEC tunnel.

The "same" construct works via OpenVPN without problems (OpenVPN<->Opensense<->IPSEC Clients)

The Outbound NAT Rules seem to work because the way Wireguard to OpenVPN works also with a rule. The only thing is theres no need to change the source address. I can reach all IPs behind the OpenVPN Network. Internet traffic is working without any Outbound NAT rule.

Maybe someone have some tips for me
Part of my setup:

- 1x WAN
- IPSEC LAN2LAN
- OpenVPN LAN2LAN
- WireGuard with 2 interfaces wg0 (Road Warrior) and wg1 (lan2lan).
- Wireguard Rules are empty
- Wireguard Interface Rules WG0 has a ANY rule

The rules in the WG0+WG1 interface are working.

In the livelog i see that there are incoming pakets from my WG0-Interface with the destination to the IP behind the IPSEC tunnel. The difference between wireguard and openvpn is there is no "nat" in the livelog.
The outbound nat rule with rewriting the source don't seem to work:

Interface: IPSEC - Source: WireguardWG0IF - Destination: ANY - Translation/Target: LAN

I also tried a bit around to install a "dynamic" gateway and disabled routing in the wireguard config. The same behavior. I can´t reach the IP behind the ipsec tunnel.
Do i need a dynamic Gateway? OpenVPN has a Gateway with a fixed address. That´s the only difference i can find.

Code: [Select]

09:14:13.190215 IP 10.1.2.2.42874 > 192.168.179.1.80: Flags [S], seq 2893322969, win 65535, options [mss 1240,sackOK,TS val 2552133579 ecr 0,nop,wscale 9], length 0
09:14:13.194603 IP WAN-IP > 10.1.2.2: ICMP net 192.168.179.1 unreachable, length 36
09:14:13.214869 IP 10.1.2.2.42876 > 192.168.179.1.80: Flags [S], seq 3959809269, win 65535, options [mss 1240,sackOK,TS val 2552133616 ecr 0,nop,wscale 9], length 0
09:14:13.218739 IP WAN-IP > 10.1.2.2: ICMP net 192.168.179.1 unreachable, length 36


Title: Re: Wireguard to IPSEC via Outbound SNAT not working
Post by: MikeyMike on September 11, 2021, 01:35:39 pm

Actually i got it "temporary" running.

I changed the internal Wireguard Subnet 10.x.x.x/24 into the allowed ip range of my IPSEC Tunnel 192.168.x.x/16.
There´s no problem anymore that my wireguard client can reach the ips behind the ipsec tunnel.

But i want to understand what i need to do to get wireguard back into the ip range 10.x.x.x/24 and get snat working. Would be nice if someone can help to find my failure because i like to understand the routing and what´s going wrong here.

Thanks.

Title: Re: Wireguard to IPSEC via Outbound SNAT not working
Post by: ctr on December 22, 2021, 03:29:56 pm

I'm having the same problem and it started to manifest when switching from userspace to in-kernel WG.

My assumption is that since both WG and IPSec live in the kernel now that packets don't reach PF/routing/NAT so that the src IP cannot be mangled. I'll try to switch my IPSec tunnel to routed mode to see if that makes a difference.