Topics

1

Virtual private networks / Wireguard S2S with port forward to reverse proxy

« on: November 11, 2023, 12:42:55 am »

Hello everyone,

I hope I can find help for my problem here. I have been working on setting up a VPN tunnel from a VPS to my Homelab for a few days.
The tunnel itself is not the problem. The tunnel is up and running, I can also reach all participants via ping and a "nmap" on port 80 and 443 from the VPS in the direction of the reverse proxy is also successful.
In my opinion, there is no response from the reverse proxy.

If any of you can find the time to look at the problem, I would be very grateful!
If you have any questions or need information, please let me know.

First a few details.
The VPS serves as a wireguard server (10.10.90.1). The Opnsense (10.10.90.2) connects to the VPS as a client.
Behind the Opnsense is a reverse proxy (10.10.20.4). All incoming requests on port 80 and 443 on the VPS should be forwarded to the reverse proxy.

Enclosed is the Wireguard config:

Code: [Select]

[Interface]
PrivateKey = ----
ListenPort = 1195
Address = 10.10.90.1/28

PostUp = iptables -A FORWARD -i ens6 -o wg0 -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -t nat -A PREROUTING -i ens6 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.20.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -p tcp -m multiport --dports 80,443 -d 10.10.20.4 -j SNAT --to-source 10.10.90.1

PostDown = iptables -D FORWARD -i ens6 -o wg0 -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o ens6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i ens6 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.20.4
PostDown = iptables -t nat -D POSTROUTING -o wg0 -p tcp -m multiport --dports 80,443 -d 10.10.20.4 -j SNAT --to-source 10.10.90.1

[Peer]
PublicKey = ----
PresharedKey = ----
AllowedIPs = 10.10.90.2/32, 10.10.20.4/32
PersistentKeepalive = 25

The following settings have been made on the Opnsense:
VPN -> Wireguard -> Instances:

Code: [Select]

Tunnel addresse = 10.10.90.2/28
Peers = proxy-vpn
Disable Routes = yes
Gateway = 10.10.90.1
VPN -> Wireguard -> Peers:

Code: [Select]

Name = proxy-vpn
Allowed IPs = 10.10.90.1/32
Endpoint Address = IP address of the VPS
Endpoint Port = 1195
Firewall -> Rules -> Wireguard_proxyvpn:

Code: [Select]

IPv4 TCP, S: 10.10.90.1, P: *, D: 10.10.20.4, P: 80
IPv4 TCP, S: 10.10.90.1, P: *, D: 10.10.20.4, P: 443
IPv4 ICMP, S: 10.10.90.1, P: *, D: 10.10.20.4, P: *
IPv4 TCP/UDP, S: Wireguard_proxyvpn net, P: *, D: Wireguard_proxyvpn net, P: 80
Firewall -> Rules -> DMZ (Reverse Proxy Network)

Code: [Select]

IPv4 ICMP, S: 10.10.20.4, P: *, D: Wireguard_proxyvpn net, P: *
System -> Gateways -> Single:

Code: [Select]

N: Wireguard_proxyvpn, I: Wireguard_proxyvpn, G:10.10.90.1, MIP: 10.10.90.1
This option is also activated on the VPS.

Code: [Select]

net.ipv4.ip_forward=1