WireGuard doesn't allow ssh or RDP to lan

Started by hcape, February 09, 2025, 11:01:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2025, 11:01:35 AM
Hello

A bit new ro opnsense, so bear with me.

I have a home network of a few servers on DMZ plus LAN for a few workstations with OPNsense 24.1 having four interfaces: FC, DMZ, LAN and WireGuard. On my laptop with WireGuard active I can access everything I need from DMZ but nothing from LAN (basically I would need to access my main workstation when not home via RDP). When my laptop is in LAN network everything works great.

So I would need to open RDP for one (static) IP from WireGuard net. But whatever I have tried seems to work. As I see it, it should be one firewall rule to add, but to where?

Sorry for the newby question but we all have been newbies, one day, right? :)

wbr hank
February 09, 2025, 11:15:01 AM #1
From where do you try that? Is your laptop connected to the very same LAN you try to access via the VPN?

That will not happen (tm), since the VPN connection will be tunneled through your LAN first, i.e. there is a route to your LAN and probably a default gateway that is your OpnSense.

So, you must test this from outside of your networks.

The next step is that the allowed networks in the Wireguard settings on both sides must allow the respective other networks. This is vital and not easy to detect, because blocked packets here do not show up in your firewall logs.
Then, you must allow that traffic via firewall rules, on the specific Wireguard interface or on the Wireguard interface group.

Also, you obviously will need routes for the other network on both sides.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 09, 2025, 11:27:06 AM #2
Oh, yes, dumb me...

When accessing from my phone's mobile network, it works, so your first assumption was right.

Thank you for the fast and right-to-the-point answer

hank
Print
Go Up Pages1
User actions