English Forums > General Discussion
WireGuard & Port Forwarding
SomethingOrOther:
Hello,
I have a strange port forwarding issue.
I'm running two OPNSense routers cascaded together. I know, it's not recommended, but that's the setup I need to work with.
So the WAN IP from the 2nd OPNSense is on the first one's LAN. And everything works.
Initially I was doing double NAT on router 2, but I created a static route on router 1 to reach the networks on router 2. It worked, all good. Disabled Outbound NAT on router 2. Added NAT rules for that traffic on router 1. All good. Everyone can access everything they need to access, according to their firewall rules. Great.
But, on router 2, I have a couple of OpenVPN servers, an IPSec server and a WireGuard "server" running as well. To access these from the outside, I need to set up port forwarding rules. I set up the rules on router 1 like this:
Source: Any / Destination: WAN Address / Source Ports: Any / Destination Port: whatever port the server runs on / NAT IP: IP of the server / NAT Ports / whatever port the server runs on.
And this automatically adds the corresponding Firewall rule on WAN.
So, for OpenVPN & IPSec, it just works. I can connect without issue from outside and access everything the firewall rules allow me to access. But for WireGuard, the traffic doesn't return to the appropriate host and I can't access anything from my client device (no Internet, no local networks). The handshake never completes. I can see the WireGuard instance on router 2 receives the incoming packets but I assume it can't send them back using the appropriate route.
If I do a "double port forward", meaning from router 1 I forward the outside traffic to the LAN IP which is router 2's WAN IP. And then on router 2 forward that traffic to the actual host on router 2, everything works. But if I don't do the double port forward and set the single port forward up as I did with OpenVPN & IPSec, it breaks.
I can see form the Firewall logs that neither router 1 or router 2 is not blocking the WireGuard traffic. I can see the traffic being passed in the logs. But I think it doesn't understand where to send the packets back and that's why it fails.
But I'm pretty much at a loss as to how to figure out where the traffic is going and what I need to do for it to route properly.
Any help would be appreciated - even just hints would be great.
Apologies in advance if I forgot to add important information. Just ask me and I will provide whatever is needed.
Cheers
mimugmail:
It seems the pf code and WireGuard interfaces dont like each other. Hast similar issue with another guy and Mullvad
SomethingOrOther:
Not the resolution I was hoping for, but at least I know it isn't me... Thanks.
sashxp:
i think, i was the guy with WG and Mullvad - here is my thread: https://forum.opnsense.org/index.php?topic=17973.0
Did you try 20.7 Beta? Perhaps the issue is fixed there?
SomethingOrOther:
Hey there,
Thanks for chiming in.
I'm not in a position where I can install a beta on these systems. So I haven't tried that, no. But, in my opinion, it would have more to do with the WireGuard package than OPNsense itself.
I'm no expert, but there has to be something different in how WireGuard routes traffic. The port forward & firewall rules I've set up are correct (as far as OpenVPN, IPSec and anything else) - just not WireGuard. So I'm at a complete loss.
As far as your case is concerned, are you cascading routers or is it just a "regular" port forward that you can't get to work?
Navigation
[0] Message Index
[#] Next page
Go to full version