Wireguard Port Forwarding not working

Started by trunet, June 21, 2021, 01:59:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 21, 2021, 01:59:59 PM
Hello everybody,

Following advise on https://github.com/opnsense/core/issues/4389 I'm creating this thread here. I still think it's a bug on opnsense and/or wireguard implementation, but anyway, here it is.

I'm unable to make port forward working on opnsense. I tried without wireguard-kmod before and saw people saying that it should work with it, so I went ahead installed and rebooted, but still nothing. Both with kmod and without the behaviour is exactly the same. If I just change the VPN_XX to use OpenVPN tunnel, it works fine.

My setup is as follow.
- WAN = WAN / ix1_vlan34
- WireGuard tunnel = VPN_XX / wg1
- LAN = LAN_VPN_XX / ix0_vlan24
- Server running on LAN = 192.168.24.51

I have a port forwarding NAT like this:
- VPN_XX   TCP/UDP   *   *   *   10000   192.168.24.51     10000

Firewall rule on LAN_VPN_XX with VPN_XX gateway:
IPv4 *   LAN_VPN_XX net   *   *   *   VPN_XX   *

Wireguard VPN is configured and it works fine, I can curl and everything. Just port forwarding doesn't work.

OpnSense wg1 tcpdump:

Code Select
13:12:46.987457 IP [REDACTED_PUBLIC_IP].46256 > 10.13.128.89.10000: Flags [S], seq 3380801657, win 29200, options [mss 1380,sackOK,TS val 3306454498 ecr 0,nop,wscale 7], length 0


OpnSense ix1_vlan34 tcpdump (my WAN interface):

Code Select
13:12:46.987713 IP 10.13.128.89.10000 > [REDACTED_PUBLIC_IP].46256: Flags [S.], seq 3870681174, ack 3380801658, win 65160, options [mss 1460,sackOK,TS val 3841074193 ecr 3306454498,nop,wscale 7], length 0
13:12:46.987814 IP 10.13.128.89.10000 > [REDACTED_PUBLIC_IP].46256: Flags [S.], seq 3870681174, ack 3380801658, win 65160, options [mss 1460,sackOK,TS val 3841074193 ecr 3306454498,nop,wscale 7], length 0
...... more TCP SYN/ACK retries

Any idea?
August 10, 2021, 01:51:06 AM #1
Same for me, been over a year now and still no progress on this port forward on WG.

any updates anyone?
August 10, 2021, 08:10:36 AM #2
https://github.com/opnsense/core/issues/4389#issuecomment-865349224

It's literally referenced in the ticket above.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
September 07, 2021, 11:37:19 AM #3
I see that he is using 21.7.b version (type development). Do we know what community version this change will be included in?

Br.

Quote from: franco on August 10, 2021, 08:10:36 AM
https://github.com/opnsense/core/issues/4389#issuecomment-865349224

It's literally referenced in the ticket above.


Cheers,
Franco
September 07, 2021, 11:45:45 AM #4
We can safely assume that 21.7.b is part of 21.7(.x).


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Print
Go Up Pages1
User actions