Hi there,
I will try to explain the situation as best as I can.
I have a home server with proxmox, an OPNsense router and a VPS.
I want to expose certain services like Nextcloud and a mail server. I had a call with my ISP and they denied a buisness plan with a static ip.
Now I decided to get a small VPS with a static IP so I can use that as a gateway for my entire homelab. I went as far as installing Wireguard on the VPS and configuring OPNsense accordingly.
I followed this guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html).
What I got to work is the VPN tunnel, more or less. I can ping the VPS from my server and vice versa.
That is where my advancements stopped. I tried everything from tracerouting, packet capturing, playing around with subnet masks, changing firewall rules, rebooting and much more.
In hopes you get a better understanding of the problem here's some logs and stuff:
Wireguard configuration on VPS:
[Interface]
Address = 10.8.0.1/24
Address = fde9:ee81:a6c0::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i eth0 -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;
PostUp = iptables -A FORWARD -i %i -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE;
PostDown = iptables -D FORWARD -i eth0 -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE;
ListenPort = 54816
PrivateKey = xx
[Peer]
PublicKey = xx
AllowedIPs = 10.8.0.2/24, fde9:ee81:a6c0::2/64
Endpoint = xx:54816
wg command run on OPNsense via SSH:
interface: wg1
public key: xx
listening port: 54816
peer: xx
endpoint: xx:54816
allowed ips: fde9:ee81:a6c0::/64, 10.8.0.0/24
latest handshake: 28 seconds ago
transfer: 73.05 KiB received, 78.81 KiB sent
persistent keepalive: every 25 seconds
The firewall rules and other configuration is exactly like the guide said (I tripple checked).
Another weird thing happens when I try to ping for example 1.1.1.1 from my home server (firewall live view):
Interface dir. timestamp source dest. proto description
Loopback <- 2023-09-23T23:52:04 10.1.2.1 10.8.0.2 icmp let out anything from firewall host itself
Loopback <- 2023-09-23T23:52:03 10.1.2.1 10.8.0.2 icmp let out anything from firewall host itself
...
When I disable the floating rule (everything taken from the guide) it shows this line only once when I start the ping:
VPN gateway <- 2023-09-23T23:59:16 10.8.0.2 1.1.1.1 icmp let out anything from firewall host itself
...continuing with the other lines from above...
It actually says the correct ip only once.
10.1.2.0/24 is the subnet of my DMZ. I always put the DMZ net where it said "hosts supposed to use the VPN".
Now my questions, why the Loopback interface? What is the one floating firewall rule for?
How can I troubleshoot more or even fix the issue?
I tried for at least 6 hours now and I'm stuck.
I am very thankful for every little bit of help :)
After a few more hours I finally got it to work.
The problem was in the Wireguard Endpoint configuration on OPNsense.
I had to set the AllowedIPs to 0.0.0.0/0 and ::/0 and it immidiately worked.