WireGuard site to site NAT

Started by cLordOmega, March 17, 2023, 10:06:47 AM

Previous topic - Next topic
March 17, 2023, 10:06:47 AM Last Edit: March 19, 2023, 02:37:50 PM by cLordOmega
Hi All,
i've set up two opnsense appliances.
Site A) Linode Vm ( No lan interfaces, wireguard vpn tunnel 10.254.254.0/24)
Site B) Local VM ( Many interfaces and wireguard tunnel 10.254.254.0/24)

In site A i have a public IP to reach the firewall like x.x.x.x/32

There's a tunnel working in wireguard with the networks pinging each other, tunnel IPs and from site A to the Machines behind the Site B opnsense like site A 10.254.254.1 can ping site B 10.10.1.2( vm machine)

what i want to make working is that like from port 8080 of the public ip site A can reach the machine 10.10.1.2 8080 on site B that exposes for example a website.

x.x.x.x:8080 <--> 10.10.1.2:8080

setting on site A:
interface: wan
tcp/ip: ipv4
protocol: tcp
destination: wan address
dest port range: 8080 to 8080
redirect target ip: 10.10.1.2
redirect target port: 8080
nat reflection: default

it's not working, or better, i see the tcp/ip connection being established to the remote service/ip on 10.10.1.2 but the service does not reply.

consider that the VM is in a network wheres a rule incapsulate the whole network traffic 10.10.1.0/24 -> any through the site to site tunnell and then goes to internet without any problems. basically checking from the VM what's my ip the remote website shows the linode x.x.x.x public ip.

i hope to had explain it enough to let someone understand and give me a tip to make this working.

The ABOVE, was my problem and now i will explain for me and for all for the future.

Use Manual Rule Generation on outbound nat, then:
Basically i fixed it by adding a NAT on the site A, where i say outbound interface Wireguard has to use it's interface address, and on the NET in Site B, where i say outbound NAT, use interface address. That's all :)

Cheers!!!

March 17, 2023, 11:48:47 AM #1 Last Edit: March 17, 2023, 12:00:59 PM by chemlud
Wireguard traffic is UDP

More likely than not the reply to your TCP initiation is routed out via WAN on site B. Did you check?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....

March 17, 2023, 04:45:24 PM #2 Last Edit: March 17, 2023, 04:47:35 PM by cLordOmega
if i nat an RDP Connection, i connect to site A Public ip, the connection arrives on the windows machine on site B as i see from the performance monitor. the only thing that's weird is that i see my public ip instead some internal network IP as source on windows.

to understand better what i see:

Source 1.1.1.1 (my pc ) to public site A ip 2.2.2.2 (Public IP) port 3389 ( site A tunnel ip 10.254.254.1/24)
Site B (10.254.254.254/24 tunnel ip) - 10.10.1.2 (Windows machine ip site B)

on resource monitor i see a connection from my 1.1.1.1 to 10.10.1.2 and the rdp does not connect as i bet is missing something to let packets be back? and this for me is weird.

even ping is not UDP ( Base for the tunnel that incapsulates all the others) is ICMP and it works correctly, as far as a traceroute shows packets from siteA shell going correctly through the wireguard tunnel to the siteB Windows Machine.

right now i do a nat in site A to the router public ip on site B then NAT to opnsense  then another NAT to the windows machine


Quote from: cLordOmega on March 17, 2023, 04:45:24 PM
... i see my public ip instead some internal network IP as source on windows....

That's why the response of your win machine is routed out of your WAN.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....


ok. Fixed. i update initial post.