Wireguard and CGNAT

[meni1234]

Hello folks

I use a virtual opnsense in my proxmox environment to manage my virtual routing. Since I am behind a CGNAT, I have to take a route via a VPS for services that are publicly accessible. Currently, I use a VPS with a public IP and establish a wireguard connection with the opnsense. Then I route required ports such as 443 directly with iptables via wireguard to my opnsense. There, I route these ports to my VMs via nat rules in opnsense. I used SNAT to see the real IPs of the clients on the VMs. This also works, but I have a problem; when I set up the wireguard tunnel, the opnsense then routes all ipv4 traffic via wireguard, which causes problems. Local VMs can then no longer connect to the internet and all traffic from the opn sense is then routed via the VPS. I must specify 0.0.0.0/0 for allowed IP, as all IPs are forwarded via SNAT. Does anyone have an elegant way to forward the required ports with original IPs to my VMs via wireguard without routing the entire ipv4 traffic via wireguard?


One workaround is to run a separate VM for wireguard and then add my internal subnet as a static route and route directly via iptables, but then I don't get it to work to see the original IPs of the clients. Maybe someone has an idea?


Here is the routing from the VPS:
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

#HTTPS
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 443 -j DNAT --to 192.168.4.2

PostUp = iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x (public_ip_vps)

PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT

#HTTPS
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dport 443 -j DNAT --to 192.168.4.2

PostDown = iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x (public_ip_vps)