Forward ports to web over site-to-site

[blucobalt]

I am trying to set up my network so that I can access my network's local services from a public vps with a static IP.
Here is a diagram of what I'm trying to accomplish:

Code Select Expand

                                         
x.x.x.x is the static ip of the vps
z.z.z.z is the ip of whatever is running the local service i want accessible from outside
┌─────────────────────┐         ┌───────────┐           ┌────────────────────      ┌─────────────────┐
│local network        │         │local      │ internet  │ vps with static ip,      │                 │
│10.70.0.0/24         ├────────►│opnsense   ├───────────► runs latest       │ ─────► public internet │
│x.x.x.x:y->z.z.z.z:y │         │firewall   │ [wg or zt]│ opnsense          │      │ x.x.x.x:y       │
│                     │         │           │           │                   │      │                 │
└─────────────────────┘         └───────────┘           └───────────────────┘      └─────────────────┘

I was able to get the firewalls talking to each other over both wireguard and zerotier, but my portforwards don't work due to I think the way the (source?) nat is configured. How can I set this up? Thank you.

[blucobalt]

When I set up a portforward on the vps to point to an IP behind the local firewall, I can check the logs and see that the packets are reaching the destination. I confirmed this with UDP netcat. If I try going back the other way though, with TCP, it looks like the packets get lost between the destination and the local firewall. What should I do?

[zan]

Looks like you have an asymmetric routing, eg: return traffic from 10.70.0.0 network goes through your OPNsense default gateway instead of tunnel its originating from.
Try to set the 'reply-to' field of your pass rule on that tunnel interface to your tunnel gateway.