VPN Port Forwarding Problem

Started by Scanline, September 30, 2020, 07:45:59 PM

Previous topic - Next topic
Hello,

A PC (192.168.20.101) connected via ethernet cable in VLAN20 (physical opnsense interface: "igb1") is routed (policy based) via wireguard VPN (mullvad, wg0). I set up port forwarding for port 11526 and start ncat -k -l -p 11526 on the PC. From my VPS (xxx.de) I try to connect via ncat -p 23023 185.209.196.159 11526, but I am getting "Connection timed out." I am using tcpdump on opnsense: tcpdump -i igb1 | grep ".23023", output:

19:28:57.774733 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79282081 ecr 0,nop,wscale 7], length 0
19:28:57.775498 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133438719 ecr 79282081,nop,wscale 7], length 0
19:28:58.776502 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79283084 ecr 0,nop,wscale 7], length 0
19:28:58.777248 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133439721 ecr 79282081,nop,wscale 7], length 0
19:28:59.779374 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133440723 ecr 79282081,nop,wscale 7], length 0
19:29:00.792129 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79285100 ecr 0,nop,wscale 7], length 0
19:29:00.792870 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133441737 ecr 79282081,nop,wscale 7], length 0
19:29:02.979382 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133443923 ecr 79282081,nop,wscale 7], length 0
19:29:04.888799 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79289196 ecr 0,nop,wscale 7], length 0
19:29:04.888967 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133445833 ecr 79282081,nop,wscale 7], length 0
19:29:08.952726 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133449897 ecr 79282081,nop,wscale 7], length 00


I do the same thing on wg0:


19:34:19.395412 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79603694 ecr 0,nop,wscale 7], length 0
19:34:20.408152 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79604707 ecr 0,nop,wscale 7], length 0
19:34:22.424482 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79606723 ecr 0,nop,wscale 7], length 0
19:34:26.682679 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79610980 ecr 0,nop,wscale 7], length 0


My limited knowledge tells me that something must be wrong in my configuration. The packet gets to my PC, the PC sends a SYN ACK but the router eats it.

Here are some relevant screenshots of my settings

https://i.imgur.com/x9hBagG.png
https://i.imgur.com/dJs9l38.png
https://i.imgur.com/Ylx9J3L.png

any help is much appreciated!