OPNsense Forum
English Forums => Virtual private networks => Topic started by: MrBieR on December 06, 2020, 06:46:30 am
-
Hi,
I'm having a difficulty understanding how to setup the following with OPNsense.
I've a VPS (lets say it has IP: 1.1.1.1 public). On this VPS I run wireguard (192.168.3.1 ).
I've an OPNsense instance running on my local network (hyper-v, wan, lan, vlans, tunnels etc). One of the vpn tunnels is via wireguard to this VPS. OPNsense has ip 192.168.3.2.
I want to host a webserver on my local LAN (192.168.1.1). This webserver has OPNsense as default gateway. I wish to route all HTTP/HTTPS traffic incoming on 1.1.1.1 to this webserver.
Easy done with port forwarding however, now the source IP address for incoming HTTP/HTTPS requests is actually the IP of the wireguard tunnel ( 192.168.3.1 ).
I've tried adding a floating rule to say outgoing HTTP/HTTPS traffic override the gateway to use the wireguard tunnel but that doesn't seem to help.
[Internet(1.1.1.1)]VPS[Wireguard(192.168.3.1)] => [Wireguard(192.168.3.2)]OPNsense[LAN(192.168.1.254)] => [HTTP/HTTPS(192.168.1.1)]Webserver
-
Do you have outbound NAT enabled along this path?
What do local and remote WireGuard have as allowed IPs?
-
Outbound NAT (also tried adding a rule here...) Hybrid
Interface LAN source 192.168.1.1 port 80/443 destination *
Translation/target wireguard interface address
-
WG
OPNsense (endpoint) allowed ips 0.0.0.0/0
VPS: allowed ips 192.168.3.0/24, 192.168.1.0/24
On a sidenote: I've added the wireguard interface and a gateway (192.168.3.1) + also added manual route to routing table 192.168.3.1/32 use wireguard interface.
-
Definitely no NAT on this path. You don't want to rewrite IPs.
The problem is: packet from WAN comes in at the VPS. Packet should be forwarded to the server on your LAN. If the source IP would not be rewritten, the server on your LAN would answer the request through the wrong path because it would answer to the WAN address directly, which your local OPNsense would route through the WAN port and not the WireGuard tunnel. Are you able to do a tcpdump on the WireGuard interfaces to find out at which point the source rewrite happens?
Firewall: Settings: Advanced
"Disable reply-to" what setting do you have right now on both boxes?
It could have something to do with:
Firewall: Settings: Advanced
"Network Address Translation", all 3 settings within that section could have something to do with that.
I hope someone else has an idea how to solve that.
-
Ok, what you're saying makes sense due to the gateway it chooses to route traffic back (WAN). Hence my idea was to create a rule that would override the gateway for this specific port for this ip address.
On the VPS the portforward is done via;
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:25
Then on OPNsense:
"Disable reply-to": unchecked. I only see 1 box - but all boxes in the UI in that section (Miscellaneous) are unchecked.
"Network Address Translation": only "Automatic outbound NAT for Reflection" is checked.
Interfaces>Diagnostics>Packet Capture>start capture for port 80, host address 192.168.1.1 interface: wireguard
Result packages:
Source: internet ip address of the HTTP request (correct!)
Destination: 192.168.3.2 (Wireguard interface on OPNsense).
and 2 re-transmissions of the package.
This seems fine.. I've also tried VPS port forward to OPNsense port forward to webserver. Same result..
-
Did the capture again, and see what's happening.
It's, like you said, replying over the WAN address.
Browser => VPS => OPNsense => webserver
Browser <= WAN <= OPNsense <= webserver
Looks like OPNsense did not track over which interface the request came and just always replies via the standard route over WAN.
-
Ok, I thought both boxes are OPNsense.
You should definitely skip the masquerading in this case, as this is rewriting the source address.
Don't know if this is a WireGuard topic as it's a new feature. There are some other weird problems regarding WireGuard at the moment as fas as I remember.
Are you able to exchange the tunnel to an OpenVPN tunnel? Should be easy to replace it.
-
One more question: is the OPNsense on your LAN the default gateway for the LAN?
If it's not there is no chance to achieve this without source rewrite.
-
Yes the MASQUERADE translates it (sorry added it in my previous message but that was not correct). Removed that.
I'm not ver familiar with the OpenVPN server hosting on the VPS. VPS must be the host as this has a static IP address while my internet has a dynamic one. Can you recommend any how to guide?
I also did not know the OPNsense wireguard implementation has many issues.. I checked the documentation and that seemed all valid/clear.
The webserver 192.168.1.1 has 192.168.1.254 (OPNsense) as gateway.
-
Also tried with OpenVPN
OPNsense hosts OpenVPN server.
VPS => OPNsense.
Ping between networks works fine. Portforward from VPS => webserver and it goes into the void. I dont even see any traffic when trying to capture the packets.
When doing MASQUERADE on the VPS server it works again, but showing the internal IP address from the OpenVPN client.
-
Please try without assigned interface for the VPN connection. I assume you created an interface (for WireGuard and for OpenVPN)?
https://docs.opnsense.org/troubleshooting/openvpn.html
Maybe this applies to WireGuard, too.