Help request: Wireguard full tunnel routing for external client

Started by Amanaki, March 07, 2022, 10:39:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2022, 10:39:55 PM Last Edit: March 07, 2022, 11:32:24 PM by Amanaki
I have a simple setup with single LAN only network 10.34.10.10/24 and a wireguard client configured for VPN access to external VPN provider. For DNS, I am using a template to forward all DNS requests to NextDNS anycast servers. All clients on LAN network are policy based routed to external VPN and are working as expected.

Today, I added a new external client device using Road Warrior and got a connection to OPNsense but cannot seem to route the client back out over my existing Wireguard VPN tunnel connection.

Have tried various different methods but the client only returns my WAN ip address instead of my VPN providers addresss. Settings are as follows:

---------------------
Servers (OPNsense):

VPN: WireGuard > Local:

Interface: WG0
Listen: 51821
Tunnel address: 10.11.1.52/16
DNS: Blank
Peers: VPN_PROVIDER
Disable Routes: Checked
Gateway: 10.11.1.51
Monitor IP: VPN provider IP address

Interface: WG1
Listen: 51831
Tunnel address: 172.16.16.2/24
DNS: Blank
Peers: iPAD_CLIENT
Disable Routes: Unchecked
Gateway: Blank
Monitor IP: Blank

------------------------------------
Clients (OPNsense):

VPN: WireGuard > Endpoints:

Name: VPN_PROVIDER
Allowed IPs: 0.0.0.0/24
Endpoint Address: VPN provider address
Endpoint port: 51822

Name: iPAD_CLIENT
Allowed IPs: 172.16.16.20/32
Endpoint Address: Blank
Endpoint port: Blank

------------------------
External Remote Client (iPAD):

Addresses: 172.16.16.20/32
Listen port: 51831
DNS: Blank

Peer:

Allowed IPs: 0.0.0.0/0
Endpoint: a.b.c.d:51831

------------------------------------------
NAT and Rules (OPNsense):

Firewall: Rules: WAN

Interface: WAN
Direction: In
Proto: UDP
Source: any
Ports: any
Destination: WAN address   
Destination Port: 51831

Firewall: Rules: Wireguard (Group)

None

Firewall: Rules: WG0

None

Firewall: Rules: WG1

None

Firewall: Rules: LAN

Interface: LAN
Direction: In
Proto: TCP/UDP
Source: ALL_CLIENTS (Alias for all LAN clients)
Destination invert: Checked
Destination: PRIVATE_NETWORKS (Alias for RFC1918_Networks)
Ports: WAN_SERVICE_PORTS (Alias containing service ports)
Gateway: WG0 Gateway (to VPN provider)

Firewall: NAT: Outbound

Interface: WG0
Source: Local_Networks (Alias) 10.34.10.10/24
NAT Address: Interface Address

How can I properly route all traffic from my external client down existing VPN provider tunnel?

TIA.
Manaki
Print
Go Up Pages1
User actions