Hi,
I am setting up a remote replication of my main TrueNAS backup server (site A) to an offsite TrueNAS backup server (site B). For this I need an SSH connection from LAN A to LAN B, which I plan to tunnel through a WireGuard VPN between two OPNsense firewalls (each of which behind a 3rd party router with dynamic WAN IP and port forwarding).
Now, I trust site B enough to have a server running there, but I don't have control over the location. So I definitely want to prevent access from LAN B into my main network LAN A, i.e. make the VPN connection "one-sided".
My plan is to set up a WireGuard Site-to-Site tunnel according to this tutorial (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html). But then make it one-sided by:
a) not allowing connections from LAN B to LAN A on the Wireguard (Group) interface of firewall A
b) not allowing connections from LAN B to LAN A on the LAN B interface of firewall B
(Basically just skipping sub-step 2 and 3 of Step 5 in the above tutorial)
It is my understanding that this would allow WireGuard to set up a tunnel between the locations but prevent anybody on LAN B to access LAN A. But I am really not a networking expert... Is my assumption correct here? And/ or is there a better/ more elegant solution I should pursue instead?
Thank you!
Blocking on your side for incoming packets will suffice (the other side firewall could be manipulated and is thus not trustworthy) - but yes, I do it just like that.