Show Posts
1
Virtual private networks / [SOLVED] Traffic from LAN going missing on the way back to the Wireguard peer
« on: July 08, 2023, 02:18:06 am »
Hey,
I'm trying to bypass CG-NAT with Wireguard. I have an external Server that my server behind CG-NAT connects to via Wireguard. The goal is to route any connection my external server attempts to 10.0.0.0/24 through Wireguard to my GC-NATed LAN and route the response back.
My external server has the wireguard-internal IP 10.11.0.2 and the wireguard interfaces is allowed to use the whole 10.11.0.0/24 subnet. Opnsense has the IP 10.0.0.1 on the LAN and the LAN has the subnet 10.0.0.3/24.
This is kinda semi-working already: My external server can ping 10.0.0.1 (OpnSense) and get a response. If it pings any service on my LAN (e.g. 10.0.0.3) the connection times out. According to OpnSense live view the service (10.0.0.3) acknowledges the ping and sends back a response tho. Both connections get allowed. This response-packet never arrives on my external server according to tcpdump and co.
My routes view shows me that there is an auto generated rule for the WG subnet (10.11.0.0/24) that has "link#8" as the Gateway. This kinda seems like a gateway problem but I can't figure out where the problem lies.
I've been struggling with this for 3 weeks now. Any help is highly appreciated. Thank y'all in advance
EDIT: I misread the logs, there were connections going into my LAN but none coming back to the firewall. The solution was to add a route to 10.11.0.0/24 (wireguard) via 10.0.0.1 (opnsense LAN IP) on the LAN clients and disable their own firewall that was blocking those outgoing connections
I'm trying to bypass CG-NAT with Wireguard. I have an external Server that my server behind CG-NAT connects to via Wireguard. The goal is to route any connection my external server attempts to 10.0.0.0/24 through Wireguard to my GC-NATed LAN and route the response back.
My external server has the wireguard-internal IP 10.11.0.2 and the wireguard interfaces is allowed to use the whole 10.11.0.0/24 subnet. Opnsense has the IP 10.0.0.1 on the LAN and the LAN has the subnet 10.0.0.3/24.
This is kinda semi-working already: My external server can ping 10.0.0.1 (OpnSense) and get a response. If it pings any service on my LAN (e.g. 10.0.0.3) the connection times out. According to OpnSense live view the service (10.0.0.3) acknowledges the ping and sends back a response tho. Both connections get allowed. This response-packet never arrives on my external server according to tcpdump and co.
My routes view shows me that there is an auto generated rule for the WG subnet (10.11.0.0/24) that has "link#8" as the Gateway. This kinda seems like a gateway problem but I can't figure out where the problem lies.
I've been struggling with this for 3 weeks now. Any help is highly appreciated. Thank y'all in advance
EDIT: I misread the logs, there were connections going into my LAN but none coming back to the firewall. The solution was to add a route to 10.11.0.0/24 (wireguard) via 10.0.0.1 (opnsense LAN IP) on the LAN clients and disable their own firewall that was blocking those outgoing connections