[Solved]Port forward in a wireguard tunnel to another site

[loic]

Hi,

I have an Opnsense instance in the cloud (Site B)  and an Opnsense at home (Site A)  that are connected by a Wireguard VPN.

Opnsense (Site B)
Wan IP : 10.250.100.24/22
WG IP : 10.100.100.2/22
Opnsense  (Site A)
Wan IP : 192.168.1.1/24
Lan IP : 10.69.60.1/22
WG IP : 10.100.100.1/22
Webserver
IP : 10.69.60.1/22
Diagram : https://i.imgur.com/zHkWOn7.png

To do this I created a Wireguard VPN site to site, the web server can go ping the Wan of Opnsense (Site B) and vice versa.

I want to host a web server on my local network so I redirect port 9999 of the Opnsense (Site B) to my web server ip 10.69.60.1 on port 80 to go through the tunnel.
Example:
Opnsense (Site B) => Wireguard tunnel => Opnsense (Site A) => Webserver
But Opnsense (Site A) does not receive the packets.


When I look at the logs of Opnsense (Site A), I see that there is nothing and even this packet capture, I think that the packets are not transferred, it must be blocked at the Opnsense (Site B).

NAT: Port Forward, Opnsense (Site B) :
https://i.imgur.com/avsbmXd.png

Routes status, Opnsense (Site B) :
https://i.imgur.com/C3OxVKp.png

Logs, Opnsense (Site B):
https://i.imgur.com/lMnQi21.png

Interface wan, Opnsense (Site B):
https://i.imgur.com/2BB1l7k.png

Interface wg0, Opnsense (Site B) :
https://i.imgur.com/VwtbHmG.png

The problem is the same in reverse
Opnsense (Site A) => Wireguard tunnel => Opnsense (Site B) => Web server

Why are the packages blocked? I must have missed a step?

[Demusman]

You don't list your allowed IP's on both ends of the tunnel?

[loic]

Hi,

Endpoint on the site A
Name                   : TO_CLOUD
Endpoint Address  : IP_CLOUD_PUBLIC
Allowed IPs           : 10.100.100.1/22,10.250.100.24/22

   

Endpoint on the site B
Name                   : TO_HOME
Endpoint Address  : IP_HOME_PUBLIC
Allowed IPs           : 10.100.100.2/22,10.69.60.1/22

Edit:

I replaced ke Opensense (Site B) by a linux serverir with wireguard and it works