Print Page - CGNat Bypass with 2nd IP on VPS

Title: CGNat Bypass with 2nd IP on VPS
Post by: DentalDan on March 24, 2023, 04:19:36 PM

Hi All,

I'm trying to get a static ip at my home on a residential internet connection that does not allow for static IPs (also potentially would not allow for direct connection, but I found a way to bypass their provided router).

To accomplish this, I am attempting to use Wireguard to route this to an endpoint. I wish to do this without NAT, as some of the services I wish to run do not work well with NAT. I feel that I am close to success, but I have a blocker that has me a bit stumped.

Here is what I've done so far:

I have a 2nd IP assigned to the VPS from the hosting provider, for the purposes of this post let's call it 50.50.50.49. This IP comes in on the same WAN interface as the primary IP.
Under Interfaces > Virtual IPs > Settings I added the address 50.50.50.49/32 as a Proxy Arp type (without this it would not show in packet captures, and true IP Alias would make this router respond to it directly for pings etc). At this point I can see pings coming through from my cell phone in packet captures.
Under VPN > Wireguard > Local I created a new interface specifically for this, I'm going to use a /30 for this with OPNsense on the VPS having the tunnel address 50.50.50.50/30 so that the remote can have 50.50.50.49/30.
I added the interface for this VPN, statically assigned the IPv4 address of 50.50.50.50/30 on OPNsense.
Under System > Gateways > Single I added a gateway for the endpoint with IP address 50.50.50.49 Far Gateway checked, and Disable Gateway Monitoring
For the purposes of testing, I have a firewall rule on the WAN to pass to anything for IPv4 ICMP.

At this point:

If I connect the tunnels, I can ping from OPNsense 50.50.50.50 to the endpoint using 50.50.50.49 and I see this on the VPN endpoint in a packet capture.
If I use my cell phone on mobile data to ping the external ip of 50.50.50.50 it shows in packet captures on the WAN of OPNsense.

If I packet capture the VPN interface on OPNsense I see the packets there.

If I packet capture on the VPN endpoint, i do _not_ see any packets coming in from the cell phone.

I suspect there is some kind of restriction for routing packets from the WAN interface to internal interfaces, but any suggestions would be appreciated.

Thanks!

Title: Re: CGNat Bypass with 2nd IP on VPS
Post by: seilenbe79 on April 11, 2023, 07:05:02 PM

I've use this for me. It works.

https://www.busche.org/index.php/2021/03/21/ipv4-ueber-wireguard-von-opnsense-zu-opnsense-routen-cgnat-umgehen/

OPNsense Forum

English Forums => Virtual private networks => Topic started by: DentalDan on March 24, 2023, 04:19:36 PM