English Forums > Virtual private networks
Routing wireguard
MrBieR:
Hi,
I'm having a difficulty understanding how to setup the following with OPNsense.
I've a VPS (lets say it has IP: 1.1.1.1 public). On this VPS I run wireguard (192.168.3.1 ).
I've an OPNsense instance running on my local network (hyper-v, wan, lan, vlans, tunnels etc). One of the vpn tunnels is via wireguard to this VPS. OPNsense has ip 192.168.3.2.
I want to host a webserver on my local LAN (192.168.1.1). This webserver has OPNsense as default gateway. I wish to route all HTTP/HTTPS traffic incoming on 1.1.1.1 to this webserver.
Easy done with port forwarding however, now the source IP address for incoming HTTP/HTTPS requests is actually the IP of the wireguard tunnel ( 192.168.3.1 ).
I've tried adding a floating rule to say outgoing HTTP/HTTPS traffic override the gateway to use the wireguard tunnel but that doesn't seem to help.
[Internet(1.1.1.1)]VPS[Wireguard(192.168.3.1)] => [Wireguard(192.168.3.2)]OPNsense[LAN(192.168.1.254)] => [HTTP/HTTPS(192.168.1.1)]Webserver
Gauss23:
Do you have outbound NAT enabled along this path?
What do local and remote WireGuard have as allowed IPs?
MrBieR:
Outbound NAT (also tried adding a rule here...) Hybrid
Interface LAN source 192.168.1.1 port 80/443 destination *
Translation/target wireguard interface address
-
WG
OPNsense (endpoint) allowed ips 0.0.0.0/0
VPS: allowed ips 192.168.3.0/24, 192.168.1.0/24
On a sidenote: I've added the wireguard interface and a gateway (192.168.3.1) + also added manual route to routing table 192.168.3.1/32 use wireguard interface.
Gauss23:
Definitely no NAT on this path. You don't want to rewrite IPs.
The problem is: packet from WAN comes in at the VPS. Packet should be forwarded to the server on your LAN. If the source IP would not be rewritten, the server on your LAN would answer the request through the wrong path because it would answer to the WAN address directly, which your local OPNsense would route through the WAN port and not the WireGuard tunnel. Are you able to do a tcpdump on the WireGuard interfaces to find out at which point the source rewrite happens?
Firewall: Settings: Advanced
"Disable reply-to" what setting do you have right now on both boxes?
It could have something to do with:
Firewall: Settings: Advanced
"Network Address Translation", all 3 settings within that section could have something to do with that.
I hope someone else has an idea how to solve that.
MrBieR:
Ok, what you're saying makes sense due to the gateway it chooses to route traffic back (WAN). Hence my idea was to create a rule that would override the gateway for this specific port for this ip address.
On the VPS the portforward is done via;
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:25
Then on OPNsense:
"Disable reply-to": unchecked. I only see 1 box - but all boxes in the UI in that section (Miscellaneous) are unchecked.
"Network Address Translation": only "Automatic outbound NAT for Reflection" is checked.
Interfaces>Diagnostics>Packet Capture>start capture for port 80, host address 192.168.1.1 interface: wireguard
Result packages:
Source: internet ip address of the HTTP request (correct!)
Destination: 192.168.3.2 (Wireguard interface on OPNsense).
and 2 re-transmissions of the package.
This seems fine.. I've also tried VPS port forward to OPNsense port forward to webserver. Same result..
Navigation
[0] Message Index
[#] Next page
Go to full version