Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
WireGuard SiteToSite tunnel outbound NAT rule necessary
« previous
next »
Print
Pages: [
1
]
Author
Topic: WireGuard SiteToSite tunnel outbound NAT rule necessary (Read 2267 times)
TheHellSite
Full Member
Posts: 231
Karma: 83
WireGuard SiteToSite tunnel outbound NAT rule necessary
«
on:
January 20, 2022, 07:10:17 pm »
Hello,
I had my road warrior WireGuard setup running on OPNsense_A at Site_A for quite some time now.
My mobile clients have access to my LAN or can even tunnel their entire traffic through my OPNsense.
At Site_B I have my OPNsense_B and SOME clients in that network need access to the services at Site_A.
So I added the OPNsense_B "sort of" as another road warrior client to the WireGuard instance of OPNsense_A.
I didn't enable the pull routes feature of the wireguard interface since I only want some clients to go through the tunnel. So I added the gateway IP to the wg_interface and created a gateway in settings of OPNsense_B.
At this point the tunnel was already working and I was able to ping the wireguard interface address at Site_A using the OPNsense diagnostics tool.
I then created a firewall rule (see attached files) that will only route selected clients to the network of Site_A and thought that would be enough. I was wrong, I also needed to add a NAT outbound rule (see attached files) that translates everything to the OPNsense_B_WG_interface address.
Can someone please explain to me why that outbound NAT rule is necessary?
I know what it does but I just can't figure out why it is necessary. Without the outbound rule I can see that my OPNsense_B is routing the traffic to OPNsense_A but in the logs of OPNsense_A is no sign of it. The Site_B networks are listed in the Allowed IPs of Site_B peer.
Ultimately I would like OPNsense_A and the services in that network to know the real local IP of Site_B clients that accessed them.
(I know that the firewall rule is currently giving the whole VLAN_CLIENT network access to the network of Site_A. I will change this when everything is working as expected.)
«
Last Edit: January 20, 2022, 07:22:26 pm by TheHellSite
»
Logged
All of my posts are submitted with the best of knowledge and belief.
My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating:
https://www.buymeacoffee.com/thehellsite
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: WireGuard SiteToSite tunnel outbound NAT rule necessary
«
Reply #1 on:
January 20, 2022, 08:54:28 pm »
This may help for setup, in particular the firewall rules at the beginning:
https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_Site-to-Site_configuration
Logged
TheHellSite
Full Member
Posts: 231
Karma: 83
Re: WireGuard SiteToSite tunnel outbound NAT rule necessary
«
Reply #2 on:
January 20, 2022, 10:46:03 pm »
I think you misunderstood the issue.
I already have the tunnel up and running! I was just asking why the outbound NAT rule is necessary.
Logged
All of my posts are submitted with the best of knowledge and belief.
My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating:
https://www.buymeacoffee.com/thehellsite
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: WireGuard SiteToSite tunnel outbound NAT rule necessary
«
Reply #3 on:
January 20, 2022, 10:56:28 pm »
I think you misunderstood my response.
I am suggesting that with the right firewall rules in place you won’t need an outbound NAT rule. Try it or not as you wish.
Logged
TheHellSite
Full Member
Posts: 231
Karma: 83
Re: WireGuard SiteToSite tunnel outbound NAT rule necessary
«
Reply #4 on:
January 22, 2022, 10:04:51 am »
Well, I totally overlooked that firewall rule part.
Going to try this.
But why didn't the firewall live log on Site_A display any blocked/dropped traffic from the Site_B networks.
By default it is showing everything that is getting blocked.
Logged
All of my posts are submitted with the best of knowledge and belief.
My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating:
https://www.buymeacoffee.com/thehellsite
TheHellSite
Full Member
Posts: 231
Karma: 83
Re: WireGuard SiteToSite tunnel outbound NAT rule necessary
«
Reply #5 on:
January 24, 2022, 01:02:39 am »
So I removed the NAT outbound rule and allowed both remote networks on the wireguard interfaces firewall rules.
Still not working. Though I now have firewall logs on both sides indicating that the traffic goes from Site_B to Site_A but it is still not coming back.
EDIT: The easiest solution was to just leave "Disable Routes" unticked. One could also create a static route, but then you would also need to create a gateway.
«
Last Edit: January 29, 2022, 12:54:08 pm by TheHellSite
»
Logged
All of my posts are submitted with the best of knowledge and belief.
My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating:
https://www.buymeacoffee.com/thehellsite
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
WireGuard SiteToSite tunnel outbound NAT rule necessary