Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Wireguard Split Tunnel between two Wireguard VPN Servers.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard Split Tunnel between two Wireguard VPN Servers. (Read 2712 times)
Orest
Newbie
Posts: 3
Karma: 0
Wireguard Split Tunnel between two Wireguard VPN Servers.
«
on:
April 02, 2020, 06:38:13 am »
Hi there!
I first want to express my deepest gratitude to this community and the OPNsense project. With the help of the documentation, community and colleagues in IT, I have been able to move from a Linksys Velop router to a completely virtualized network environment with two OPNSense Firewalls, one being an Edge Firewall, and the second an Internal Firewall, with the potential for a DMZ between the two. Don't have plans there but wanted the option. So my thanks goes out to all of you for your contributions to the community that helped me put this together. My understanding of Networking has increased exponentially because of all the resources out there, including here.
Anyway, so here is my endeavor.
On my internal firewall, I have two Wireguard Servers. My first one is a server to connect to my internal network, a 10.9.0.1/24 network (server IP is 10.9.0.1). My second one is a server to connect to an external VPN provider, in this case Mullvad, where I tunnel all of my network traffic through it (technically two of my networks, not my IOT network due to streaming concerns). It has an IP of 10.70.75.225.
Before I spun up the second server, I had no problems connecting to my internal network. But now, when the second server is up (Mullvad VPN), I cannot connect to my internal network with my first wireguard server. My troubleshooting shows that the wireguard packets reach the server, and leave it as well. Initially, my thoughts were that the wireguard packets left through the VPN, and didn't reach back to my mobile device, and did not establish the connection.
With that thought, I set up an Outbound NAT rule. This rule translated my second wireguard server IP, to my WAN Address (in this case, its an RFC1918 IP, 192.168.1.200). This then leaves via the Edge Firewall back to its origin (My mobile device). However, in doing that, I still do not establish a wireguard connection. It looks like the rule fails when I set my target port to the same port it came in on (55820), but when I leave it to any target port, the rule is executed, but it still fails the wireguard connection.
But, when I shut off the second wireguard server, the first one works again successfully.
Here is some sample firewall logs of what happens in different scenarios.
Scenario 1: First Wireguard Server is running, Second one is not.
Interface: WAN | <- | Source: 192.168.1.200:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
This is what I have been trying to reproduce, while the second server is up, to see if I can establish a successful connection.
Scenario 2: First Wireguard Server is running, Second one is also running, No Outbound NAT.
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 3: First Wireguard Server is running, Second one is also running, Outbound NAT with target port any
Interface: wg1 | <- | Source: 192.168.1.200:15728 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
Scenario 4: First Wireguard Server is running, Second one is also running, Outbound NAT with target port 55820
Interface: wg1 | <- | Source: 10.70.75.225:55820 | Destination: 174.200.0.20:10350 | UDP
Interface: WAN | -> | Source: 174.200.0.20:10350 | Destination: 10.9.0.1:55820 | UDP
At the end of the day, what I am trying to accomplish is have both VPNs working. I want the first wireguard server to connect me to my internal network, and the second wireguard server to route all my internet bound traffic out through it.
I hope I have provided enough information, and that I didn't confuse anyone. I am not a network pro either, so if I messed up any terminology, I apologize.
Thanks in advance, I appreciate any help I get.
- Orest
«
Last Edit: April 02, 2020, 06:41:12 am by Orest
»
Logged
Orest
Newbie
Posts: 3
Karma: 0
Re: Wireguard Split Tunnel between two Wireguard VPN Servers.
«
Reply #1 on:
April 11, 2020, 02:05:42 am »
Hi Everyone!
For anyone who is curious, I was not able to resolve this issue exactly with two wireguard servers. However, I was able to get it working with the one wireguard sever I had initially. I just added the outbound vpn as a peer to the one wireguard server. Leaving my existing ruleset and modifying my outbound NAT for vpn network to go out through the peer got it working as expected. So now I could login to my network remotely, have my internet traffic go out the vpn, and access my internal network.
If anyone has any questions about this, feel free to message me!
All the best,
Orest
Logged
curioustech
Newbie
Posts: 16
Karma: 2
Re: Wireguard Split Tunnel between two Wireguard VPN Servers.
«
Reply #2 on:
April 12, 2020, 12:09:19 am »
I have exactly the same issue as you have described.
I have posted my outbound rule configuration and firewall blocking my WG client connection in post below.
https://forum.opnsense.org/index.php?topic=16667.msg75866#msg75866
If you kindly share your NAT outbound rule configuration, I would appreciate.
Thank you.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Wireguard Split Tunnel between two Wireguard VPN Servers.