Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: sebclem on January 05, 2024, 11:09:52 AM

Title: [Solved] NAT through wireguard tunnel
Post by: sebclem on January 05, 2024, 11:09:52 AM
Ok so, I'm having issues with my setup, this is some context:
I have my homelab with a 4G router, so no static public IP.
But I rent a dedicated server with 2 public IP.
I have a Site2Site Wireguard setup that work perfectly.

This is a quick summary of my network:
Code Select

10.23.0.0/24 : Homelab
10.100.0.0/24: Wireguard Tunel
10.90.0.0/24 : Dedicated server

The issues start now:
I have created a NAT rule on the WAN address in my dedicated server:
Code Select

Interface: WAN
...
Destination: 178.xx.251.xx (My second public configured as Virtual IP)
Dest ports: 80,443
Redirect target IP: 10.23.0.36 (My HAProxy on my Homelab network)
...


But this seams to not work, I get a time out.
After some debug with packet capture, it seams that my HAproxy VM try to reply using the WAN of my homelab instead to go through the Wireguard tunnel.
Is there any way to prevent that ?
Title: Re: NAT through wireguard tunnel
Post by: doktornotor on January 05, 2024, 01:08:35 PM
Quote from: sebclem on January 05, 2024, 11:09:52 AM
I have created a NAT rule on the WAN address in my dedicated server:

Why?
Title: Re: NAT through wireguard tunnel
Post by: sebclem on January 05, 2024, 02:16:06 PM
I thought this was the way to go actually.

I'm trying to expose my HAProxy in my homelab server via my public IP in my dedicated server, is there another way to do this ?
Title: Re: NAT through wireguard tunnel
Post by: shadesh on January 05, 2024, 02:32:33 PM
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.
Title: Re: NAT through wireguard tunnel
Post by: sebclem on January 05, 2024, 03:02:14 PM
Quote from: shadesh on January 05, 2024, 02:32:33 PM
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.

Oh thank you, it's working now !

I have added a outbound rules like this to only "translate" request coming from WAN:
Code Select

Interface: WGS2S
Source address: ! 10.90.0.0/24, 10.101.0.0/24 (Another VPN tunnel for clients)
Destination: 10.23.0.36/32
Text only | Text with Images