Wireguard NAT rules required?

[Inxsible]

Hello,
I have a Road Warrior OpenVPN setup that is working perfectly. I am using the Automatic outbound NAT rule generation currently under Firewall-->NAT-->Outbound. I also have not assigned the OpenVPN interface, but created an "Allow All" rule under the default OpenVPN tab that gets created under Firewall-->Rules. I have a different subnet as the Tunnel network and then allow access to my main LAN and CCTV vlans by passing those in the IPv4 Local Network in the OpenVPN configuration. I can connect from my mobile device to my OpenVPN server and I am able to access the LAN devices as well as the internet.

I was trying to set up the exact same thing via Wireguard. After setting up the wireguard peers, I did the same thing, I did NOT assign the wireguard interface, but created an "Allow All" rule under Firewall-->Rules-->Wireguard (Group). Similar to the OpenVPN setup, I use a completely different subnet as the Tunnel Network for Wireguard and put in 0.0.0.0/0 as Allowed IPs in the client/endpoint configuration for wireguard. I can now access my LAN services from my mobile device but I am unable to access anything on the internet. I researched and found out that I need some NAT Outbound rules in order to do this.

But my question is why does OpenVPN work without any such NAT Outbound rules while Wireguard doesn't?

TIA

[RamSense]

Depends of having created an interface, see this guide I used in the past when enabling wireguard:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

To allow external access to the WireGuard VPN, a WAN rule needs to be created. Since the WireGuard service is running on the OPNsense system, you do not need to use a NAT port forward rule.

Add the Outbound NAT Rule (Required if Not Creating WireGuard Interface)

If for some reason you do not want to create a WireGuard interface, you will need to manually add the outbound NAT rule. I do not recommend doing this since creating the WireGuard interface simplifies the configuration in a number of ways. For the sake of completeness, I will describe the process in hopes that it will help someone. Please skip this step if you already created a WireGuard interface!

[tiermutter]

Had this in another thread a couple of days ago, maybe german in forum...

I do not have any NAT rule for Wireguard and it works fine.
I have created interfaces for ms WG instances, but there is no NAT rule created automatically.

[miroco]

Here is a guide I found useful and it doesn't use a NAT rule.

[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)
https://www.youtube.com/watch?v=b58PpuIsQ3A

[Inxsible]

Thanks @RamSense, @tiermutter & @miroco for responding.

All 3 of you seem to be suggesting that you can just assign the Interface and then you won't need the NAT rule. I have gone through the homenetworkguy url and also the video and I understand that I can create either the NAT rule or the Interface assignment to get it to work.

But I am just trying to understand why OpenVPN works without an interface assignment or NAT rule, whereas Wireguard requires at least one or the other.

TIA.

[tiermutter]

WG will also work without NAT rule or specific interface.
As said... Don't know for what reason NAT is needed here.

[Inxsible]

WG will also work without NAT rule or specific interface.
As said... Don't know for what reason NAT is needed here.

Well, it sure doesn't seem like it works. I have Wireguard setup and it connects. But I cannot access the internet from my phone when connected to Wireguard. The only thing that I can access is the local LAN services/devices.

[tiermutter]

Ok, I now checked my outbound NAT, the only rules are those automatically generated rules containing every internal interface and, indeed, VPN (WG interfaces and OVPN subnets). I guess if there were no interface created for WG, the automatic rules would contain the subnet IPs as it does for OVPN. I am pretty sure that I used WG the first time without assigning an interface, this was done later when I added a second WG instance 

[Inxsible]

Ok, I now checked my outbound NAT, the only rules are those automatically generated rules containing every internal interface and, indeed, VPN (WG interfaces and OVPN subnets). I guess if there were no interface created for WG, the automatic rules would contain the subnet IPs as it does for OVPN. I am pretty sure that I used WG the first time without assigning an interface, this was done later when I added a second WG instance 

Yeah, this is for my home network and I don't foresee more than 1 WG VPN server which is why I thought of simply using the Wireguard(Group) to set up the firewall rules instead of assigning the interface similar to what I had for OpenVPN.

But from the looks of it, it seems I will have to assign the interface in order for it to be able to access the LAN services as well as the internet in general.

Oh well, I was just curious as to why it was different for OpenVPN vs Wireguard that's all.

[tiermutter]

Ok, we consent, that NAT is generally required for internal interfaces oder VPN to connect to WAN.
Now I´ve created OVPN and WG server on a testing system and.... indeed for WG the subnet is not automatically added to the default NAT rules as it is done for OVPN. Creating an interface does add it there.
So I was obviously wrong, my WG instance could never have WAN connection without adding manual NAT rule or interface... as the manual states.
I guess this comes from how OVPN and WG are implemented in GUI. I didn´t use the wizard for creating OVPN server and there is no option that enables auto adding the subnet to NAT, it just happens, for WG it will not.

[Inxsible]

Yup. Thanks for confirming via testing.

It could just be how the plugin was implemented where the OpenVPN automatically adds it's subnet to NAT whereas WG doesn't. Might be worth a bug/enhancement ticket in the Wireguard plugin for feature parity with OpenVPN plugin but then again, the documentation clearly states that you need either the interface assignment or the NAT rules -- and sometimes maybe both depending on what you want to do.

I created the WG interface and am now able to access the LAN services as well as the internet at the same time from my connected device.