Routing VLAN through WireGuard tunnel to a VPS then do NAT

Started by FrAllard, January 15, 2023, 02:34:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2023, 02:34:09 AM
Hi!

Here is what I want to do. I have a WireGuard tunnel established to a VPS and I can ping the VPS from my LAN and also the VLAN I want to route through the tunnel. The ping is going through both ways without NAT pure routing.

I would like to force a VLAN to go through the tunnel to access Internet but I'm missing one last part I believe. Here is how it is setup at the moment.

WG IPs: 10.2.3.1 (VPS), 10.2.3.2 (OPNsense client)
LAN IPs: 10.20.30.1/24
VLAN IPs: 10.200.300.1/24

On the VPS WireGuard AllowedIPs include both LAN and VLAN subnets.
On the OPNsense side AllowedIPs is only 10.2.3.0/24

I created a Gateway like that
  Interface: WG Interface
  Gateway: 10.2.3.1

Then I create a Firewall Rule in the VLAN section to allow all and then set the gateway to the new one I created.

I did not create a NAT rule as I don't think I need one, the VPS is going to do nat, I want pure routing if possible between my devices on the VLAN all the way to the VPS then when it need to exit to Internet the VPS is going to do the natting.

I traced packets on the VLAN interface and the WG Interface and I can see the packets entering those interfaces. When I trace on the VPS the WG interface I can see the packets if the client on the VLAN is pinging the VPS WG IP, but if the client tries to ping let's say 1.1.1.1 I don't see any packets. Like if WireGuard does not route the trafic trough.

Resuming what I can see on the trace.
VLAN Client 10.200.300.128 ping 1.1.1.1
On the VLAN interface on OPNsense I see :

  • 10.200.300.128 > 1.1.1.1 ICMP echo request
  • no reply
On the WG interface on OPNsense I see :

  • 10.200.300.128 > 1.1.1.1 ICMP echo request
  • no reply
On the WG interface on the VPS I see :

  • nothing

VLAN Client 10.200.300.128 ping 10.2.3.1 (The VPS WG IP Address)
On the VLAN interface on OPNsense I see :

  • 10.200.300.128 > 10.2.3.1 ICMP echo request
  • 10.2.3.1 > 10.200.300.128 ICMP echo reply
On the WG interface on OPNsense I see :

  • 10.200.300.128 > 10.2.3.1 ICMP echo request
  • 10.2.3.1 > 10.200.300.128 ICMP echo reply
On the WG interface on the VPS I see :

  • 10.200.300.128 > 10.2.3.1 ICMP echo request
  • 10.2.3.1 > 10.200.300.128 ICMP echo reply
Print
Go Up Pages1
User actions