Wireguard port - public wifi

[Greelan]

I don’t have this issue (I don’t forward ports to services on my firewall). I’m just trying to help the OP with an alternative.

Perhaps show the OP an example of a working rule of yours, so he can compare. Eg what target IP are you using?

[allebone]

Yup J posted this already. It goes to the opnsense ip address.

[RamSense]

I have it working now for port 465. I made a terrible mistake in my earlier port forward using tcp instead of udp... 
Now I can use WG on 465 also. port 53 does not work being blocked by my ISP.
Will try 465 at public wifi to see if it will work....

[allebone]

See - I told you it had to work.

GG.

Pete

[MTR]

I know i can just run Wireguard on a different port but Port Forwarding should work, right? Why doesn't it? I must be doing something wrong and I like to know what. Please see attached images for my NAT and WAN rules.
What am i missing here?

[allebone]

MTR you cannot redirect to ‘wan address’ as this is the external ip of the firewall. Try redirecting it to 192.168.1.1 in your case.

[MTR]

Under NAT -> Port Forward i have destination WAN address with port 15821 and NAT 192.168.1.1 with port 15820.

Under WAN the first rule is for normal Wireguard, and the second one is linked by the NAT rule. 

Is this not right?

[allebone]

Under my rules, wan the destination is the internal IP of the firewall not wan address (mine is working so assume correct?). Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.

Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly). The reason for this is in my case I use IDS/IPS on the LAN interface so without making the packet process through the lan the router itself will not have this port protected by any filtering you have in place. Indeed some small cost of a cpu cycle is incurred by the packet having to move across and interface but a faster CPU can mitigate that and probably the cost is so small you will be unable to detect it. The same reason could apply if you used sensei on the LAN.

Also I am pretty sure a nat rule is the default way it was done in the documentation before, but I did just check and it is no longer like that so I think this was changed in the documentation at some point because I assumed everyone did it this way, and at one point Im fairly confident it was the case.

[MTR]

I followed the road warrior setup guide, hence the rule with Destination WAN address under Rules->WAN.

Under my rules, wan the destination is the internal IP of the firewall not wan address

Yes, the NAT rule creates a rule under Rules->WAN which says destination <internal_ip>. Destination in the NAT rule is WAN address tho (yours says PPPoEWAN address, according to the screenshot you posted earlier.

Probably because of stateful inspection the bottom wan rule is never hit (the rule above stops further processing of rules). You could try reorder the bottom rule and move it before the rule that is to wan address in your screenshot.

Tried that, no-go.

Im pretty sure this is the issue because I only use nat rules even when forwarding to the router itself (ie as opposed to just opening the wan up directly).

For testing i removed the rule i made in WAN, going only with a NAT rule as you suggested. This works (client connecting to 51820):


But this does not (client connecting to 51821):


Do you have only 1 NAT rule for Wireguard and nothing more (except from the linked rule under Rules->WAN)?

[allebone]

Currently because I was testing for you guys I have 2 rules:

NAT
Rules

However they both work currently. Presumably as mine work and you are wanting to achieve the identical setup (one forwards to same port, the other redirects from a different port) yours should also work (when you have 2).

Dont forget to modify the port on the client connecting afterwards. Thats also a requirement obv.

P

[allebone]

Here is the proof it works from an iphone. My iphine gets an ipv6 address so thats why the endpoint looks strange but I assure you this works on ipv4 clients also (just easier to rest from my phone quickly).

[MTR]

Here is the proof it works from an iphone.

No worries, i'm totally convinced your setup works. I appreciate the time you take to try to help me! 

So far i tried:

a) One WAN Rule (dest. WAN Addess, port 51820) and one NAT (dest. WAN Address, port 51821 redirect to 192.168.1.1 port 51820)
b) Two NAT (one dest. WAN Address port 51820, redirect to 192.168.1.1 port 51820 and one dest. WAN Address port 51821 redirect to 192.168.1.1 port 51820)
c) One NAT rule only, redirect dest. WAN Address port 51821 to 192.168.1.1 port 51820.

With options a) and b) i can successfully connect to endpoint my.wan.ip:51820 but as soon as i try my.wan.ip:51821 i can't get a handshake.
Option c) also fails handshake when connecting to my.wan.ip:51821

Same problem when i try to redirect a port for OpenVPN; no connection possible.
When i redirect a port to a different machine in my network everything works as it should. Just not when i redirect to a service on the firewall itself. 

I even tried less-sensical options like opening 51821 and 51820 from all sources in Rules -> LAN, Loopback and WAN, setting ListenPort in clients [Interface] config and what not. All without success.

I don't know what else i can try to make this work and frankly i'm getting fed up with this. At first i wanted to solve this just because it should work but now i'm ready to throw the towel and just run Wireguard on a different port. Gonna watch me some brilliant CL soccer now, PSG-ManC. Hopefully that match will be good. This one wasn't: FW-MTR 1-0. 


edit: added option c) to things i tried.

[allebone]

I cant explain why it doesnt work for you. I mean I am totally stuck on what to look at next. I cant think of a reason what could be causing you an issue

[MTR]

Me neither. This should work but it doesn't. Thanks again for your help though!

* PSG-ManC is 1-0 at half time. Maybe i should consider my match half time as well. As in i might take another look. Some day. If anybody reading this has anything to add, please do.