Messages

Hi there,

I have setup a wireguard server in a VM on my local network. I have a default WAN connection that is going to my router. I also have an OpenVPN connection to AirVPN. On AirVPN I forward a port into my network. I do this because with AirVPN I have a fixed IPv4 address, whereas my provider only provides IPv6.

Now the incoming packets come in on my WAN_AirVPN interface and are correctly forwarded (with a port forward rule) to my wireguard server. The server receives them and sends a response, I have verified this with tcpdump.

How comes the interesting part: the response packets go out via the default WAN gateway, but they have the source address of the WAN_AirVPN address. It looks as if the OPNsense picks up the packets returned by the wireguard server as answers to the port forwarded packets, rewrites the sender address but then sends them out on the default gateway instead of the gateway where they came from.

Is there a way I can tell OPNsense to send these outgoing packets to the correct WAN_AirVPN gateway?

Update: I managed to find the outgoing packets with tcpdump on the WAN interface:

Code Select Expand

23:05:10.309053 IP 192.168.178.22.37318 > xx.xx.xx.xx.15697: UDP, length 92

Source is the OPNsense WAN address (network to the DSL router), destination is the IP from where the initial packets came.

However I do not see these packets in a tcpdump on my router. Also I do not see these packets in the firewall log, even if my first rule on the WAN interface is to log and pass packets with source port 37318.

So, how can I find out where they went?

I have a DSLite connection at home, so no public reachable IPv4 address. In order to be able to connect to my home network from the outside, I have setup an AirVPN network that can forward ports over the VPN into my home network and I want to reach a Wireguard server in my network.

Mobile Device -> AirVPN -> OpenVPN Client on OPNsense -> Wireguard Server

So far I have configured the AirVPN clients on OPNsense (using the tutorials on https://nguvu.org/ - wrong firewall, I know, but I have not found comparable information for OPNsense directly) and they are working as expected for outgoing traffic.

I have setup a Wireguard Server:

Code Select Expand

Enabled: (checked)
Name: Wireguard
Instance: 0
Public Key: <pubkeyserver>
Private Key: ...
Listen Port: 55555
Tunnel Address: 10.8.4.1/24
Peers: wg-roadwarrior
Disable Routes: (unchecked)

I have configured firewall aliases

Code Select Expand

WG_SERVER: 10.8.4.1
WG_PORT: 55555


The Wireguard Client (Endpoint):

Code Select Expand

Enabled: (checked)
Name: wg-roadwarrior
Public Key: <pubkeyendpoint>
Shared Secret: (empty)
Allowed IPs: 10.8.4.100/32
Endpoint Address: (empty)
Enpoint Port: 55555
Keepalive: (empty)

These match the settings on my mobile device.

To test the wireguard server locally, I have allowed UDP port 55555 from my internal WLAN to the Wireguard server. When my phone is in my WLAN and I set it up to connect directly to 10.8.4.1, it works fine, so I believe the Wireguard configuration itself is correct. Also, I have setup rules on the WireGuard interface to allow traffic to my other VLANs and the WAN, plus an outgoing NAT rule, and I can access everything from the mobile device.

However, when I disable WLAN and set the peer address on the phone to <airvpn1_ip>:55555, no handshake is completed. The incoming packets are NATed in OPNSense:

NAT:Port Forward

Code Select Expand

Interface: WAN_AirVPN1
Proto: UDP
Source: *:*
Destination: WAN_AirVPN1 address:WG_PORT
NAT IP: WG_SERVER
NAT Ports: WG_PORT

And I allow traffic to go from WAN_AirVPN1 to the Wireguard tunnel network:

Code Select Expand

Firewall:Rules:WAN_AirVPN1
Protocol: UDP
Source: *:*
Destination: WG_SERVER:WG_PORT
Gateway: *
Schedule: *
Description: OpenVPN: Allow incoming Wireguard

Now when I try to connect from the outside, I see that packets are coming in over the AirVPN connection:

Code Select Expand

root@OPNsense:~ # tcpdump -i ovpnc2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc2, link-type NULL (BSD loopback), capture size 262144 bytes
00:44:34.929731 IP xx.xx.xx.xx.15697 > (AirVPN1 address).55555: UDP, length 148


And I see one (and only one) log message for the NATed package:

Code Select Expand

Interface: WAN_AirVPN1
Source: xx.xx.xx.xx:15697
Destination: 10.8.4.1:55555
Proto: UDP
Label: OpenVPN: Allow incoming Wireguard

But the wireguard "List Configuration" shows only:

Code Select Expand

peer: <publickeyendpoint>
  endpoint: xx.xx.xx.xx:15697
  allowed ips: 10.8.4.100/32
  transfer: 87.59KiB received, 54.45 KiB sent

The 'transfer' numbers are increasing with each new handshake attempt from the client, but the handshake is never completed.

tcpdump shows no traffic at all on the wg0 interface.

So, for some reason it seems the answers from the Wireguard server are not going back to the client, and I have no idea why.

Any ideas?

Also, is there a way to debug the Wireguard server so I can see if and where it is sending data?