One-way WireGuard site-to-site VPN

Started by LogicLoop, July 27, 2025, 02:07:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2025, 02:07:02 PM
Hi,

I am setting up a remote replication of my main TrueNAS backup server (site A) to an offsite TrueNAS backup server (site B). For this I need an SSH connection from LAN A to LAN B, which I plan to tunnel through a WireGuard VPN between two OPNsense firewalls (each of which behind a 3rd party router with dynamic WAN IP and port forwarding).

Now, I trust site B enough to have a server running there, but I don't have control over the location. So I definitely want to prevent access from LAN B into my main network LAN A, i.e. make the VPN connection "one-sided".

My plan is to set up a WireGuard Site-to-Site tunnel according to this tutorial. But then make it one-sided by:
a) not allowing connections from LAN B to LAN A on the Wireguard (Group) interface of firewall A
b) not allowing connections from LAN B to LAN A on the LAN B interface of firewall B
(Basically just skipping sub-step 2 and 3 of Step 5 in the above tutorial)

It is my understanding that this would allow WireGuard to set up a tunnel between the locations but prevent anybody on LAN B to access LAN A. But I am really not a networking expert... Is my assumption correct here? And/ or is there a better/ more elegant solution I should pursue instead?

Thank you!
July 27, 2025, 03:15:22 PM #1
Blocking on your side for incoming packets will suffice (the other side firewall could be manipulated and is thus not trustworthy) - but yes, I do it just like that.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions