I run a WireGuard VPN server via the OPNsense plugin. It works fine when listening on the main WAN IP (XXX.XXX.1.106). Recently I tried to move WireGuard over to one of my VIPs (XXX.XXX.130.203) so that it uses that public IP. After making this change, clients can no longer complete a handshake.
Current setup:
• VIP XXX.XXX.130.203 is added on WAN.
• Outbound NAT forces the WG tunnel network (10.50.50.0/24) to egress via XXX.XXX.130.203.
• Client endpoint updated to XXX.XXX.130.203:51820.
• Screenshots attached of firewall rules.
Example of Client Config:
Name
linehaulVPN
Addresses
10.50.50.6/32
DNS servers
192.168.128.4
Peer
Allowed IPs
0.0.0.0/0, ::/0
Endpoint
XXX.XXX.130.203:51820
Persistent keepalive
every 25 seconds
Questions:
1. Do I need to enable service binding on the VIP for WireGuard to listen properly?
2. Do I need NAT:One-to-One in this case, or is that only for forwarding a public IP to an internal host?
Any guidance or examples would be appreciated.
If you see anything in my configuration that needs to be adjusted please shout it out.
Shameless bump. Really could use some help on this.