I got this network
[FIX WAN IP] ==> Fritzbox-Router [192.168.0.1/24] ==> OPNsense - WAN[192.168.0.120] ==> LAN[10.101.10.1/24] ==> XCP-NG[10.101.10.12]
Also Enabled Wireguard and Unbound DNS
When I ssh the XCP-NG via Wireguard I cannot access the internet. I havn't tried directly, but I guess it has the same effect.
from within the console on 10.101.10.12:
ping 10.101.10.1 -> OK
ping 192.168.0.1 -> OK
ping 8.8.8.8 -> OK (manually added it in the OPNsense as DNS)
ping google.com -> NO
curl google.com -> NO
Firewall live log shows that curl connects to the correct IP.
`route`
shows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default OPNsense.locald 0.0.0.0 UG 0 0 0 xenbr0
10.101.10.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0
I did read that I'm suppose to add a route to somehow tell the Router[192.168.0.1] that the respond of the requests need to be routed back to OPNsense [192.168.0.120], but I don't know how to. The default Outbound NAT Rule set seem good to me. I also disabled RFC1918.
What seemed a bit weired was that some auto log rules appeared in the Wireguard-Interface section even though the IP-Address was from another interface.
Any help would be great!
Quote from: richidd on June 14, 2023, 06:36:11 PM
I did read that I'm suppose to add a route to somehow tell the Router[192.168.0.1] that the respond of the requests need to be routed back to OPNsense [192.168.0.120], but I don't know how to.
You don't, since you are doing double NAT (10.101.10.0/24 -> 192.168.0.0/24 -> Public IP). Your issue is likely with DNS, since ping fails as soon as you switch to names. Try ping 172.217.169.14 (google.com IPv4 address). Set your DNS to 8.8.8.8 to test name resolution.
Have you looked at Tailscale? You get Wireguard without having to worry about NAT or even double NAT.
Bart...
Thank you very much for your advice. I tried to
ping 172.217.169.14
but it doesn't do anything
I already added 8.8.8.8 to the DNS. DNS actually works, because
ping -4 google.de
results in
PING google.de (142.251.209.131) 56(84) bytes of data.
But it stops here. I never get an answer. It never times out :o. Could it be that XCP-NG has something todo with it? What wonders me is that on that Server (10.101.10.12) I have 2 physical LANs, eth0 and eth1, but my ifconfig said that I connected it to xenbr0. What is xenbr0? I expected it to be connected to eth0?
regarding Tailscale. I took a deeper look. Seems like it is not for free?
Quote from: richidd on June 15, 2023, 11:34:25 AM
regarding Tailscale. I took a deeper look. Seems like it is not for free?
https://tailscale.com/pricing/
There is a free option which lists this
Quote$0
Per active user/month
Get started
Users: Up to 3
Devices: Up to 100
Peer-to-peer connections
ACLs for network and resource-level access policies
MagicDNS
SSO with standard IdP
User approval
Yes Tailscale has a freemium model in which it attracts mind share instead of market share (sorry for the corporate BS). The free starter option recently went from 20 to 100 free devices.
You obviously need to trust them not to spy on your traffic, but there is a whole number of companies in that category. Anywhere outside a hermit hut in a big forest you are likely to be under surveillance.