[solved] rsync through wireguard and iptables

[Z0idberg]

Hi everyone,

I am not completely sure whether this topic belongs here, as it is probably not the fault of the wireguard.

I have the following issue:

I connected two local networks through wireguard. Network A has OPNSense and the "wg-server". Network B has a raspberry pi behind a router with the "wg-client" and iptables to route the traffic.

One key thing I want to do with this setup is to push backups through rsync in both directions.

The basics work well: traffic is routed (I think) correctly in both directions. I can reach the machines in both networks from both sides. But one thing just does not want to work...

Here the problem:

I can backup with rsync from Network B to network A - no problem. I also can use rsync to backup from Network A to the raspberry pi in network B.

But:

• I cannot use rsync to transfer the backup from network A to the synology box or any other pc in network B.
• It only transfers tiny files (like a few KB), but any larger file will not be transferred and rsync gets stuck and eventually times out.
• Also a NFS share can be mountet, but larger files cannot be transferred.
• This I tried with multiple machines on both networks - no luck, unless the target is the raspberry pi itself.

 
Thus, I suspect iptables to be the bad guy here.

Any suggestions to fix this would be really appreciated. Also I do not find any really helpful log messages that could indicate the problem. Therefore, hints to track down the issue would already be very helpful.

Thank you so much in advance!

Best,

Thorsten

[chemlud]

Raspi connected to WAN or LAN interface of OPNsense?

[Z0idberg]

The raspi is connected to a router (fritzbox) as LAN device. The raspi connects to the OPNSense through WAN.

The VPN connection itself works.

Just transfer of larger files in one direction does not work, like: linux machine -> opnsense (network a) -> wg tunnel through WAN -> router network b (fritzbox) -> raspi (wg client) -> other linux machine.

The same transfer in exactly the opposite direction works fine.

Maybe as a note: I did not do any fort forwarding in the network b. So far, I thought that is not needed.

[chemlud]

https://forum.opnsense.org/index.php?topic=15900.0

The packages leaving the OPNsense via WAN go directly to the gateway in WAN (not to any clients in the WANnet), unless you do some fine tuning...

[Z0idberg]

Indeed this sounds like this problem.

As transfer from the network b to network a (with opnsense as fw) works well, but the other way round does not work, where do I have to change things?

I disabled the reply-to rule in the opnsense as indicated in the link, but it does not work.

To my pretty limited knowledge that also should not work, because the issue that the answer is going a different route is on the side of network b (the one without opnsense). Does that sound right?

And if so, do you have any idea where to start to fix this? Is there something in iptables to change?

[chemlud]

It might be the exact wording of your allow rule(s) for packages entering from WAN. We had a case recently that had to use the "WANnet" as source (from drop down menu for "source") and "LANnet" as target together with the disabled "reply-to".

[Z0idberg]

Ah, you mean I should use a separate rule? I disabled "reply-to" completely in the firewall advanced settings. So, an additional rule is still needed?

Just for clarification: When you talk about WAN, you really mean WAN? Because the traffic should be routet through WG (wireguard net). And as far as I can tell, this works more or less fine probably with the execption of the "reply-to" topic.

Another clarification: You think this problem is on the OPNSense side? Because from the second network to the OPNSense network all traffic and connections are fine. Also the connection from the OPNSense network to the specific wg-client works perfectly fine. Only connections from the OPNSense network to a client that is routed through the wg-client (raspi) does not work.

To me (and my very limited kowledge) this sounds to me that something like the reply-to policy is not working properly on the raspi in the second network rather on the OPNSense?

Sorry for the thousand questions and clarifications. I am still far from being an expert in these topics

[Z0idberg]

I finally got it solved:

In the outbound NAT rule, I accidently had as source "any" instead of "WG net".

Now everything seems to work flawlessly.

That gave me such headakes...