[solved] rsync through wireguard and iptables

Started by Z0idberg, January 04, 2021, 01:32:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 04, 2021, 01:32:51 PM Last Edit: January 04, 2021, 06:42:29 PM by Z0idberg
Hi everyone,

I am not completely sure whether this topic belongs here, as it is probably not the fault of the wireguard.

I have the following issue:

I connected two local networks through wireguard. Network A has OPNSense and the "wg-server". Network B has a raspberry pi behind a router with the "wg-client" and iptables to route the traffic.

One key thing I want to do with this setup is to push backups through rsync in both directions.

The basics work well: traffic is routed (I think) correctly in both directions. I can reach the machines in both networks from both sides. But one thing just does not want to work...

Here the problem:

I can backup with rsync from Network B to network A - no problem. I also can use rsync to backup from Network A to the raspberry pi in network B.

But:

  • I cannot use rsync to transfer the backup from network A to the synology box or any other pc in network B.
  • It only transfers tiny files (like a few KB), but any larger file will not be transferred and rsync gets stuck and eventually times out.
  • Also a NFS share can be mountet, but larger files cannot be transferred.
  • This I tried with multiple machines on both networks - no luck, unless the target is the raspberry pi itself.
Thus, I suspect iptables to be the bad guy here.

Any suggestions to fix this would be really appreciated. Also I do not find any really helpful log messages that could indicate the problem. Therefore, hints to track down the issue would already be very helpful.

Thank you so much in advance!

Best,

Thorsten

January 04, 2021, 01:58:12 PM #1
Raspi connected to WAN or LAN interface of OPNsense?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 04, 2021, 02:12:02 PM #2
The raspi is connected to a router (fritzbox) as LAN device. The raspi connects to the OPNSense through WAN.

The VPN connection itself works.

Just transfer of larger files in one direction does not work, like: linux machine -> opnsense (network a) -> wg tunnel through WAN -> router network b (fritzbox) -> raspi (wg client) -> other linux machine.

The same transfer in exactly the opposite direction works fine.

Maybe as a note: I did not do any fort forwarding in the network b. So far, I thought that is not needed.
January 04, 2021, 02:21:21 PM #3
https://forum.opnsense.org/index.php?topic=15900.0

The packages leaving the OPNsense via WAN go directly to the gateway in WAN (not to any clients in the WANnet), unless you do some fine tuning...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 04, 2021, 03:05:44 PM #4
Indeed this sounds like this problem.

As transfer from the network b to network a (with opnsense as fw) works well, but the other way round does not work, where do I have to change things?

I disabled the reply-to rule in the opnsense as indicated in the link, but it does not work.

To my pretty limited knowledge that also should not work, because the issue that the answer is going a different route is on the side of network b (the one without opnsense). Does that sound right?

And if so, do you have any idea where to start to fix this? Is there something in iptables to change?
January 04, 2021, 03:16:39 PM #5
It might be the exact wording of your allow rule(s) for packages entering from WAN. We had a case recently that had to use the "WANnet" as source (from drop down menu for "source") and "LANnet" as target together with the disabled "reply-to".
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 04, 2021, 03:29:38 PM #6
Ah, you mean I should use a separate rule? I disabled "reply-to" completely in the firewall advanced settings. So, an additional rule is still needed?

Just for clarification: When you talk about WAN, you really mean WAN? Because the traffic should be routet through WG (wireguard net). And as far as I can tell, this works more or less fine probably with the execption of the "reply-to" topic.

Another clarification: You think this problem is on the OPNSense side? Because from the second network to the OPNSense network all traffic and connections are fine. Also the connection from the OPNSense network to the specific wg-client works perfectly fine. Only connections from the OPNSense network to a client that is routed through the wg-client (raspi) does not work.

To me (and my very limited kowledge) this sounds to me that something like the reply-to policy is not working properly on the raspi in the second network rather on the OPNSense?

Sorry for the thousand questions and clarifications. I am still far from being an expert in these topics :(
January 04, 2021, 06:42:00 PM #7
I finally got it solved:

In the outbound NAT rule, I accidently had as source "any" instead of "WG net".

Now everything seems to work flawlessly.

That gave me such headakes...
Print
Go Up Pages1
User actions