Connecting to Wireguard through WAN IP from within LAN

Started by arbo, March 10, 2025, 05:13:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2025, 05:13:37 AM
A few days ago I upgraded to Opnsense 25.1 from 24.x and my Wireguard access is not working as it was.

I have Wireguard set up in a Road Warrior style to allow my Android phone to connect to LAN services when away from home. External access through Wireguard is still working after the upgrade to 25.1.

What has changed though, is that my phone can no longer access LAN addresses through Wireguard when at home and connected to wifi. This was working fine under 24.x and earlier for several years.

The issue seems to relate to the Opnsense peer in my Wireguard app using my WAN IP as its endpoint. When I come home and join the LAN, my phone cannot seem to connect through the WAN IP. If I change the Opnsense peer endpoint to my local Opnsense IP (192.168.xx.1) I regain local access but of course I lose access away from home.

My reading indicates this may relate to NAT reflection but there's nothing related to that in the Road Warrior docs, and the settings in Firewall > Settings > Advanced didn't change anything.

I am struggling to debug this and provide logs because I can't see any sign of my phone traffic in the live firewall logs.

Does anyone have this working and can help me resolve it, or point me to how I might debug it?

Thanks :)


(PS: My wider network config is more complex, with selective routing, Mullvad and VLANs but I don't think they're involved with this problem)
March 10, 2025, 09:11:41 PM #1
wireguard app on mobile, at least on iOS, you can exclude WiFi names so it will on demand connect to wireguard always, except when one of the SSIDs is is in the exclusion list. so you don't need to be going through the wireguard interface at home.
March 12, 2025, 05:32:58 AM #2
Thanks but I don't use IOS and in any case I need to keep Wireguard active for an external connection to another VPN. I would like to figure out how to restore the behavior of 24.x where I could access Opnsense through the WAN IP from within the LAN.
March 12, 2025, 05:54:53 AM #3
Would be best if to create and alias with a ddns for the wan. IP would work too.

Then create a port forward rule on the LAN: Source ANY port ANY destination WAN alias port wireguard - redirect to LAN IP port wireguard.
March 12, 2025, 11:09:11 AM #4 Last Edit: March 12, 2025, 11:13:06 AM by dseven
WireGuard from LAN works for me (thru 25.1.3). There would need to be a firewall rule to allow it. Usually the "Default allow LAN to any rule" would cover it.

My guess is that you have some other rule on your LAN that is using a VPN (Mullvad?) gateway (or something), and that's catching the WG protocol. If so, create a new inbound rule at the top of LAN, with destination "WAN address", protocol UDP, port 51820 (or whatever you use), and make sure that Gateway is "default".
Print
Go Up Pages1
User actions