Hi,
I am trying to set a wireguard server (autonomous host, not the wireguard within opnsense) over an existing OpenVPN connection, sadly without success.
I've tried to sum it up with: (WAN is the upstream gateway. )
+---------+
| Gateway |
+---------+
| WAN* |
| VPN |
+---------+
+-----------+
| Interface |
+-----------+
| WAN_I |
| VPN_I |
| WG_I |
+-----------+
Outboud NAT
+-----------+------------+-------------------+
| Interface | Src | NAT addr |
+-----------+------------+-------------------+
| VPN_I | WG_I_NET:* | Interface address |
+-----------+------------+-------------------+
Port forward
+-----------+-------+-----+-----------------------+-----------------+
| Interface | Proto | Src | Dest | NAT |
+-----------+-------+-----+-----------------------+-----------------+
| VPN_I | UDP | *:* | This firewall:WG_PORT | WG_HOST:WG_PORT |
+-----------+-------+-----+-----------------------+-----------------+
VPN_I Rules
+-------+-----+-----------------+---------+
| Proto | Src | Dest | Gateway |
+-------+-----+-----------------+---------+
| UDP | *:* | WG_HOST:WG_PORT | * | Auto generated by the port forward rule
+-------+-----+-----------------+---------+
WG_I Rules
+---------+----------+--------+---------+
| Proto | Src | Dest | Gateway |
+---------+----------+--------+---------+
| TCP/UDP | WG_NET:* | !Local | VPN |
+---------+----------+--------+---------+
What confuses me is that I have no issue going through the VPN gateway from the wireguard host in TCP and if I traceroute from the wireguard host/interface/srcport to outside in udp I go through the VPN Gateway.
Wireguard host receives the udp packets coming in on VPN_I and answers, however, here is my issue, the return packet goes through the WAN gateway.
Anyone to put me on the right track ? I can't figure this out.
Thanks for the help.
VPN links on the firewall are easier, since it is the default gateway for the network.
If you're trying to reach a host across the tunnel with a VPN server on your LAN, you need to have a static route through the VPN server, or the VPN server tunnel endpoint needs to have a NAT on your LAN.
Bart...
Thank you.
Quote from: bartjsmit on August 21, 2021, 10:11:27 PM
VPN links on the firewall are easier, since it is the default gateway for the network.
I actually had the same issue with the internal wireguard, I was trying to split it to identify the issue.
Quote from: bartjsmit on August 21, 2021, 10:11:27 PM
If you're trying to reach a host across the tunnel with a VPN server on your LAN, you need to have a static route through the VPN server, or the VPN server tunnel endpoint needs to have a NAT on your LAN.
Isn't it what the outbound NAT rule VPN_I - WG_I_NET would be doing ?
Can you draw a diagram of the tunnel with both endpoints?
https://online.visual-paradigm.com/diagrams/solutions/free-network-diagram-software/
Bart...
Here it is, hope it's understandable.
I think your issue is with the tunnel inside a tunnel. BTW, I'm not entirely sure why you want to double encrypt your traffic ;)
Normally, OpenVPN creates a TUN device which is fine for most traffic. If wireguard uses anything other than that, you may have to change OpenVPN to a TAP device.
Bart...