"
Thank you so much for your quick response, that was exactly the solution we needed!
Really appreciate your help and clear explanation!
Really appreciate your help and clear explanation!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Virtual private networks / Wazuh Agent plug-in over IPSEC
June 04, 2025, 01:48:06 PM
Hi all,
@Moderator: Apologies if this is not the right sub-forum, I did my best to make a logical choice. Please move this topic if incorrect.
In our environment, we use Wazuh as our SIEM solution. All systems have the Wazuh agent installed and are successfully communicating with Wazuh. This includes our OPNsense DEC2687 firewall, which also runs the Wazuh agent plug-in and reports correctly.
At a secondary site, we are using an OPNsense DEC677 firewall. Both locations are connected with IPsec tunnels. However, when installing and configuring the Wazuh agent plug-in on the DEC677, we encounter some issues. The agent cannot reach the Wazuh server, because it routes through the WAN interface, instead of routing through the IPsec tunnel. Any other device on this network does route through IPSEC and can reach the Wazuh server.
The Wazuh documentation does not provide clear guidance on how to force the agent to use a specific interface/address, such as the IPsec tunnel, or how to set a specific source IP for outgoing traffic. From what I could gather, the agent uses the system's default routing table, which in this case defaults to the WAN interface.
My question:
What is the best way to configure the Wazuh agent on the DEC677 to ensure it communicates with the Wazuh-server over the IPsec tunnel?
Any suggestions or best practices would be highly appreciated.
Thanks in advance!
@Moderator: Apologies if this is not the right sub-forum, I did my best to make a logical choice. Please move this topic if incorrect.
In our environment, we use Wazuh as our SIEM solution. All systems have the Wazuh agent installed and are successfully communicating with Wazuh. This includes our OPNsense DEC2687 firewall, which also runs the Wazuh agent plug-in and reports correctly.
At a secondary site, we are using an OPNsense DEC677 firewall. Both locations are connected with IPsec tunnels. However, when installing and configuring the Wazuh agent plug-in on the DEC677, we encounter some issues. The agent cannot reach the Wazuh server, because it routes through the WAN interface, instead of routing through the IPsec tunnel. Any other device on this network does route through IPSEC and can reach the Wazuh server.
The Wazuh documentation does not provide clear guidance on how to force the agent to use a specific interface/address, such as the IPsec tunnel, or how to set a specific source IP for outgoing traffic. From what I could gather, the agent uses the system's default routing table, which in this case defaults to the WAN interface.
My question:
What is the best way to configure the Wazuh agent on the DEC677 to ensure it communicates with the Wazuh-server over the IPsec tunnel?
Any suggestions or best practices would be highly appreciated.
Thanks in advance!
Pages1
