Show Posts
1
General Discussion / Wireguard Split Tunnel between two Wireguard VPN Servers.
« on: April 02, 2020, 06:38:13 am »
Hi there!
I first want to express my deepest gratitude to this community and the OPNsense project. With the help of the documentation, community and colleagues in IT, I have been able to move from a Linksys Velop router to a completely virtualized network environment with two OPNSense Firewalls, one being an Edge Firewall, and the second an Internal Firewall, with the potential for a DMZ between the two. Don't have plans there but wanted the option. So my thanks goes out to all of you for your contributions to the community that helped me put this together. My understanding of Networking has increased exponentially because of all the resources out there, including here.
Anyway, so here is my endeavor.
On my internal firewall, I have two Wireguard Servers. My first one is a server to connect to my internal network, a 10.9.0.1/24 network (server IP is 10.9.0.1). My second one is a server to connect to an external VPN provider, in this case Mullvad, where I tunnel all of my network traffic through it (technically two of my networks, not my IOT network due to streaming concerns). It has an IP of 10.70.75.225.
Before I spun up the second server, I had no problems connecting to my internal network. But now, when the second server is up (Mullvad VPN), I cannot connect to my internal network with my first wireguard server. My troubleshooting shows that the wireguard packets reach the server, and leave it as well. Initially, my thoughts were that the wireguard packets left through the VPN, and didn't reach back to my mobile device, and did not establish the connection.
With that thought, I set up an Outbound NAT rule. This rule translated my second wireguard server IP, to my WAN Address (in this case, its an RFC1918 IP, 192.168.1.200). This then leaves via the Edge Firewall back to its origin (My mobile device). However, in doing that, I still do not establish a wireguard connection. It looks like the rule fails when I set my target port to the same port it came in on (55820), but when I leave it to any target port, the rule is executed, but it still fails the wireguard connection.
But, when I shut off the second wireguard server, the first one works again successfully.
Here is some sample firewall logs of what happens in different scenarios.
Scenario 1: First Wireguard Server is running, Second one is not.
Interface: WAN | <- | Source: 192.168.1.200:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
This is what I have been trying to reproduce, while the second server is up, to see if I can establish a successful connection.
Scenario 2: First Wireguard Server is running, Second one is also running, No Outbound NAT.
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 3: First Wireguard Server is running, Second one is also running, Outbound NAT with target port any
Interface: wg1 | <- | Source: 192.168.1.200:15728 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 4: First Wireguard Server is running, Second one is also running, Outbound NAT with target port 55820
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
At the end of the day, what I am trying to accomplish is have both VPNs working. I want the first wireguard server to connect me to my internal network, and the second wireguard server to route all my internet bound traffic out through it.
I hope I have provided enough information, and that I didn't confuse anyone. I am not a network pro either, so if I messed up any terminology, I apologize.
Thanks in advance, I appreciate any help I get.
- Orest
I first want to express my deepest gratitude to this community and the OPNsense project. With the help of the documentation, community and colleagues in IT, I have been able to move from a Linksys Velop router to a completely virtualized network environment with two OPNSense Firewalls, one being an Edge Firewall, and the second an Internal Firewall, with the potential for a DMZ between the two. Don't have plans there but wanted the option. So my thanks goes out to all of you for your contributions to the community that helped me put this together. My understanding of Networking has increased exponentially because of all the resources out there, including here.
Anyway, so here is my endeavor.
On my internal firewall, I have two Wireguard Servers. My first one is a server to connect to my internal network, a 10.9.0.1/24 network (server IP is 10.9.0.1). My second one is a server to connect to an external VPN provider, in this case Mullvad, where I tunnel all of my network traffic through it (technically two of my networks, not my IOT network due to streaming concerns). It has an IP of 10.70.75.225.
Before I spun up the second server, I had no problems connecting to my internal network. But now, when the second server is up (Mullvad VPN), I cannot connect to my internal network with my first wireguard server. My troubleshooting shows that the wireguard packets reach the server, and leave it as well. Initially, my thoughts were that the wireguard packets left through the VPN, and didn't reach back to my mobile device, and did not establish the connection.
With that thought, I set up an Outbound NAT rule. This rule translated my second wireguard server IP, to my WAN Address (in this case, its an RFC1918 IP, 192.168.1.200). This then leaves via the Edge Firewall back to its origin (My mobile device). However, in doing that, I still do not establish a wireguard connection. It looks like the rule fails when I set my target port to the same port it came in on (55820), but when I leave it to any target port, the rule is executed, but it still fails the wireguard connection.
But, when I shut off the second wireguard server, the first one works again successfully.
Here is some sample firewall logs of what happens in different scenarios.
Scenario 1: First Wireguard Server is running, Second one is not.
Interface: WAN | <- | Source: 192.168.1.200:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
This is what I have been trying to reproduce, while the second server is up, to see if I can establish a successful connection.
Scenario 2: First Wireguard Server is running, Second one is also running, No Outbound NAT.
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 3: First Wireguard Server is running, Second one is also running, Outbound NAT with target port any
Interface: wg1 | <- | Source: 192.168.1.200:15728 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 4: First Wireguard Server is running, Second one is also running, Outbound NAT with target port 55820
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
At the end of the day, what I am trying to accomplish is have both VPNs working. I want the first wireguard server to connect me to my internal network, and the second wireguard server to route all my internet bound traffic out through it.
I hope I have provided enough information, and that I didn't confuse anyone. I am not a network pro either, so if I messed up any terminology, I apologize.
Thanks in advance, I appreciate any help I get.
- Orest