Wazuh Agent plug-in over IPSEC

Started by felixote, June 04, 2025, 01:48:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 04, 2025, 01:48:06 PM
Hi all,

@Moderator: Apologies if this is not the right sub-forum, I did my best to make a logical choice. Please move this topic if incorrect.

In our environment, we use Wazuh as our SIEM solution. All systems have the Wazuh agent installed and are successfully communicating with Wazuh. This includes our OPNsense DEC2687 firewall, which also runs the Wazuh agent plug-in and reports correctly.

At a secondary site, we are using an OPNsense DEC677 firewall. Both locations are connected with IPsec tunnels. However, when installing and configuring the Wazuh agent plug-in on the DEC677, we encounter some issues. The agent cannot reach the Wazuh server, because it routes through the WAN interface, instead of routing through the IPsec tunnel. Any other device on this network does route through IPSEC and can reach the Wazuh server.

The Wazuh documentation does not provide clear guidance on how to force the agent to use a specific interface/address, such as the IPsec tunnel, or how to set a specific source IP for outgoing traffic. From what I could gather, the agent uses the system's default routing table, which in this case defaults to the WAN interface.

My question:
What is the best way to configure the Wazuh agent on the DEC677 to ensure it communicates with the Wazuh-server over the IPsec tunnel?

Any suggestions or best practices would be highly appreciated.
Thanks in advance!

June 04, 2025, 02:26:07 PM #1
The trick is to create a Gateway with the interface IP address of one of the networks that is allowed to go through the tunnel.

So e.g. if your LAN network is allowed to go through the IPsec tunnel, and it has the IP addres 192.168.1.1, create this as gateway.

Then afterwards, create a static route that defines the remote network on the other side of the IPsec tunnel, and choose the gateway you just created.

This will force traffic initiated by the firewall to follow the routing table to reach the remote IPsec network.
Hardware:
DEC740
June 04, 2025, 04:36:39 PM #2
Thank you so much for your quick response, that was exactly the solution we needed!
Really appreciate your help and clear explanation!
June 04, 2025, 04:40:47 PM #3
No problem this is a case quite a few people trip over all the time.

Other examples are using Unbound over the IPsec tunnel, or having authentication servers like LDAP on a remote server.

This trick solves it all.

Have a good day :)
Hardware:
DEC740
Print
Go Up Pages1
User actions