Messages

Sounds like a case for 1:1 NAT but I'm not sure how that works with a VPN.

I figured it out!
I had to go back to the NAT > Port Forwarding Section and set the "Filter rule association" to None for all the portforwards.
Then go to the Firewall > Rules > VPN Interface and create a new rule with "Pass, direction - in, tcp/udp, source - any, destination - the internal ip and port of the target of the forward, in this case 10.150.x.x port 80 and the most important, go to advanced then set the reply-to to the vpn gateway and also state type to keep state.
Now everything is working perfectly, not as straight forward as i thought but it works :)

Why isnt the default reply to gateway just the on of the interface the port forward is created for by default or there is at least the option to set the reply to during creation of the port forward

TLDR: Return traffic of portforward goes through wrong gateway (the default gateway) / wan instead of the vpn-wan interface where the original traffic came from.
I stumbled across a short mention of the reply-to option in the docs but not sure how to implement that or if it is the correct thing to fix this issue.

Have been troubleshooting this for hours but cant fully figure it out.
Following setup:
I have a opnsense with two WAN interfaces / Gateways, the physical one called WAN and a Wireguard / VPN one (going to a wireguard running on a vps). The Wireguard VPS has iptable rules that forward incoming traffic on certain ports over the wireguard tunnel to the opnsense. I also set the gateway of some vlans (VLAN 2002 in this example) to the vpn so outbound traffic goes over it.
All that works, if i make an outbound connection like tracepath 9.9.9.9 from the LAN it goes over the vpn and i can also see all the incoming traffic from the wireguard vps on the vpn interface of the opnsense.
Now i tried making a simple port forward from the vpn wan interface to a local webserver.
The traffic arrives correctly and the webserver replies, it goes back to the opnsense where the correct nat for the wireguard wan (172.25.0.2) gets applied, but then the traffic suddenly pops up at the physical WAN interface / gateway instead of the wireguard interface.
Webserver runns on 10.150.x.x port 80, the public ip of the client that  tried to access the webserver on the screenshots is 62.17.x.x and 172.25.0.2 is the opnsense address on the wireguard tunnel.
I have found some documentation regarding the reply-to option in firewall rules https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
but i am not really sure how to implement this / what specific rule i need to create.
The first screenshot shows the firewall rules of the LAN. The other ones package captures at the different interface during a curl of the public ip of the wireguard vps on port 20000 by an outside device.
(Will add screenshots of nat, wan and portforward rules below since max 4 attachments)
Thanks for any help :)

Thanks,
can you elaborate a little bit?, is there any particular reason for it or is it just not implemented?
I kinda have to get this working somehow even if it is not a clean solution :/

Shouldnt it be possible to edit the routing table to allways use a particular interface / gateway for connections to the vpn servers public ip?

Pretty much the title, how can i specify a particular gateway that the opnsense should use for connections from itself (like upstream dns requests or vpn connections)?

An example would be a setup with two physical WAN connections / gateways and a wireguard tunnel configured on the opnsense itself. Where could i set the physical WAN / ISP connection that should be used to establish the tunnel to the vpn server?

I know that for lan networks you can just create a firewall rule and then specify the gateway, but i couldnt find an interface / place to set firewall rules for traffic originating from the opnsense itself. And setting the rule on the wan interface doesnt really help ether bc this rule would have to be applied before the traffic hits the physical wan interface.

Thanks for any suggestions :)

Trying to figure this one out for ages.
How can i choose which Gateway / Gateway Group is used for a VPN Connection itself (Wireguard) running on the OPNSense.

For example if i have two physical Gateways (lets say DSL and 5G) and two wireguard tunnels running on the opnsense (vpn1 and vpn2), how can i force vpn1 to use the 5G gateway / upstream for its connection and how can i force vpn2 on the dsl?

Thanks