Separate WG-Server behind OPNsense - Rules & Routing

[Neurothiker]

Dear Mr. Hausen,

first of all I thank you for your extremly detaild support - phenomenal!
Unfortunately, it also clearly showed me that the OPNsense system is far beyond my horizon - and perhaps not my solution after all.
I'm switching from Fritzbox DSL to OPNsense fiber and yes, the network architecture is still from that time, but I can't change it directly due to various dependencies - hence my requests of suuport here in the forum.

Ok, back to my biggest issue at all:

1. Get the network structure and routing right - you probably did that already?

- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway

Accomplished - ping WG-IP works.

2. Inbound port forwarding

The rules you outlined in your first post look correct - "ppp" is 51820 or similar I suppose? And make sure it's UDP!

Accomplished
Firewall: NAT: Port Forward
    Interface: WAN
    TCP/IP: IPv4
    Protocol: UDP
    Destination: Internet address
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp

3. Outbound NAT
- create a firewall alias named "internal networks" or similar. Type "network(s)", add all internal networks you want NATed - that's at least 192.168.x.0/24 and 10.xyz.0/24 (?)
- create a rule: interface WAN, source "internal networks", NAT to "interface address"

Accomplished
- Firewall: Aliases
    Name: interne Netzwerke
    Host(s)
    Content: 192.168.x.0/24 10.xyz.0/24
    Description: Anbindung an WG

- Firewall: NAT: Outbound
    Interface = WAN
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = interne Netzwerke
    Source Port: 47362
    Destination: any
    Translation/target = Interface address

4. Depending on what you want to do add your WG network

If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.

- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT

Accomplished
- System: Routes: Configuration
Network Address: WG-Clients IP
Gateway: internal router(192.168.x.1)

As I setup the WG-Server in the past I pointed to the WG gateway(internal router[192.168.x.1])

- add the WG tunnel network to the "internal networks" alias for NAT

Does it mean to add all WG-client IP to "internal network"?

Thank you

[Patrick M. Hausen]

Does it mean to add all WG-client IP to "internal network"?

If the WG clients are supposed to go to the Internet through the tunnel and back out through OPNsense again, then yes. You need to NAT them. Easiest way is to add them to that alias. But a single entry with the entire network (/24?) is enough, no need to add each client separately.

If the WG clients only access the local networks while connecting to the Internet wherever they are located, then no.

[EricPerl]

At the risk of not being helpful again...
You may feel a bit discouraged right now but your setup is not exactly for beginners.
I'm no expert either. Patrick is one though.

The inbound PF rule does not look correct to me.
It should likely point to the WG-server (xyz.1).

The outbound NAT rule also seems weird. Why is a source port specified? * is likely more appropriate.
FWIW, if you'd kept hybrid mode, you would only need rules for the downstream networks and could replicate the default rules.

Have you tested any of the configuration changes you made?
Testing the outbound NAT rules is "easy". Connect a machine in that network (eg 10.xyz) and verify connectivity.

Testing the inbound PF is a bit more difficult. You need a WG client in the y network configured to use y.2 as a server.
But you also might also need to disable reply-to in OPN (in Firewall > Settings > Advanced). Some OPN weirdness here.

Then you can use the same WG client on the Internet (pointing to your public IP).
I assume you have some inbound port forward on that "modem" too, pointing to y.2.

Unless there's a terminology issue, you've never indicated the WG tunnel network.
WG-server is listening to WG UDP traffic on xyz.1:ppp, then decapsulated traffic is generated on that WG tunnel network.
Each peer of the WG-server instance is getting an IP in that network, likely with access to some networks behind the internal router.

Going back to your setup, you have "modem" - OPN - router - WG.
Given the y network subnet, I assume there's some NAT on the "modem".
We know there's some NAT on OPN.
You don't seem to have any NAT on router (my bad for assuming this in my initial question, but it was my way of asking for clarification).
BECAUSE you don't have NAT there, for each network downstream of OPN (behind router), you need:
* GW pointing to router + static route for the network pointing to the GW (so packets going through OPN targeting that network make it to the next hop to their destination).
* outbound NAT for the downstream network on OPN. Otherwise, I believe packets are "just" routed on OPN WAN and I suspect it will go downhill from there.

So, if your WG clients (once connected to WG-server) need to get back out through OPN, you need to do the above for the WG tunnel.

The terminology issue would arise from WG-server listening on x.11:ppp (explaining the PF destination IP) and using xyz.1/24 as WG tunnel address.