AirVPN Port Forward to WireGuard?

[dasjot2]

I have a DSLite connection at home, so no public reachable IPv4 address. In order to be able to connect to my home network from the outside, I have setup an AirVPN network that can forward ports over the VPN into my home network and I want to reach a Wireguard server in my network.

Mobile Device -> AirVPN -> OpenVPN Client on OPNsense -> Wireguard Server

So far I have configured the AirVPN clients on OPNsense (using the tutorials on https://nguvu.org/ - wrong firewall, I know, but I have not found comparable information for OPNsense directly) and they are working as expected for outgoing traffic.

I have setup a Wireguard Server:

Code: [Select]

Enabled: (checked)
Name: Wireguard
Instance: 0
Public Key: <pubkeyserver>
Private Key: ...
Listen Port: 55555
Tunnel Address: 10.8.4.1/24
Peers: wg-roadwarrior
Disable Routes: (unchecked)
I have configured firewall aliases

Code: [Select]

WG_SERVER: 10.8.4.1
WG_PORT: 55555

The Wireguard Client (Endpoint):

Code: [Select]

Enabled: (checked)
Name: wg-roadwarrior
Public Key: <pubkeyendpoint>
Shared Secret: (empty)
Allowed IPs: 10.8.4.100/32
Endpoint Address: (empty)
Enpoint Port: 55555
Keepalive: (empty)
These match the settings on my mobile device.

To test the wireguard server locally, I have allowed UDP port 55555 from my internal WLAN to the Wireguard server. When my phone is in my WLAN and I set it up to connect directly to 10.8.4.1, it works fine, so I believe the Wireguard configuration itself is correct. Also, I have setup rules on the WireGuard interface to allow traffic to my other VLANs and the WAN, plus an outgoing NAT rule, and I can access everything from the mobile device.

However, when I disable WLAN and set the peer address on the phone to <airvpn1_ip>:55555, no handshake is completed. The incoming packets are NATed in OPNSense:

NAT:Port Forward

Code: [Select]

Interface: WAN_AirVPN1
Proto: UDP
Source: *:*
Destination: WAN_AirVPN1 address:WG_PORT
NAT IP: WG_SERVER
NAT Ports: WG_PORT
And I allow traffic to go from WAN_AirVPN1 to the Wireguard tunnel network:

Code: [Select]

Firewall:Rules:WAN_AirVPN1
Protocol: UDP
Source: *:*
Destination: WG_SERVER:WG_PORT
Gateway: *
Schedule: *
Description: OpenVPN: Allow incoming Wireguard
Now when I try to connect from the outside, I see that packets are coming in over the AirVPN connection:

Code: [Select]

root@OPNsense:~ # tcpdump -i ovpnc2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc2, link-type NULL (BSD loopback), capture size 262144 bytes
00:44:34.929731 IP xx.xx.xx.xx.15697 > (AirVPN1 address).55555: UDP, length 148

And I see one (and only one) log message for the NATed package:

Code: [Select]

Interface: WAN_AirVPN1
Source: xx.xx.xx.xx:15697
Destination: 10.8.4.1:55555
Proto: UDP
Label: OpenVPN: Allow incoming Wireguard
But the wireguard "List Configuration" shows only:

Code: [Select]

peer: <publickeyendpoint>
  endpoint: xx.xx.xx.xx:15697
  allowed ips: 10.8.4.100/32
  transfer: 87.59KiB received, 54.45 KiB sent
The 'transfer' numbers are increasing with each new handshake attempt from the client, but the handshake is never completed.

tcpdump shows no traffic at all on the wg0 interface.

So, for some reason it seems the answers from the Wireguard server are not going back to the client, and I have no idea why.

Any ideas?

Also, is there a way to debug the Wireguard server so I can see if and where it is sending data?

[dasjot2]

Update: I managed to find the outgoing packets with tcpdump on the WAN interface:

Code: [Select]

23:05:10.309053 IP 192.168.178.22.37318 > xx.xx.xx.xx.15697: UDP, length 92
Source is the OPNsense WAN address (network to the DSL router), destination is the IP from where the initial packets came.

However I do not see these packets in a tcpdump on my router. Also I do not see these packets in the firewall log, even if my first rule on the WAN interface is to log and pass packets with source port 37318.

So, how can I find out where they went?