OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • [Solved] NAT through wireguard tunnel
« previous next »
  • Print
Pages: [1]

Author Topic: [Solved] NAT through wireguard tunnel  (Read 1625 times)

sebclem

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
[Solved] NAT through wireguard tunnel
« on: January 05, 2024, 11:09:52 am »
Ok so, I'm having issues with my setup, this is some context:
I have my homelab with a 4G router, so no static public IP.
But I rent a dedicated server with 2 public IP.
I have a Site2Site Wireguard setup that work perfectly.

This is a quick summary of my network:
Code: [Select]
10.23.0.0/24 : Homelab
10.100.0.0/24: Wireguard Tunel
10.90.0.0/24 : Dedicated server
The issues start now:
I have created a NAT rule on the WAN address in my dedicated server:
Code: [Select]
Interface: WAN
...
Destination: 178.xx.251.xx (My second public configured as Virtual IP)
Dest ports: 80,443
Redirect target IP: 10.23.0.36 (My HAProxy on my Homelab network)
...

But this seams to not work, I get a time out.
After some debug with packet capture, it seams that my HAproxy VM try to reply using the WAN of my homelab instead to go through the Wireguard tunnel.
Is there any way to prevent that ?
« Last Edit: January 05, 2024, 03:02:57 pm by sebclem »
Logged

doktornotor

  • Hero Member
  • *****
  • Posts: 709
  • Karma: 70
    • View Profile
Re: NAT through wireguard tunnel
« Reply #1 on: January 05, 2024, 01:08:35 pm »
Quote from: sebclem on January 05, 2024, 11:09:52 am
I have created a NAT rule on the WAN address in my dedicated server:

Why?
Logged

sebclem

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: NAT through wireguard tunnel
« Reply #2 on: January 05, 2024, 02:16:06 pm »
I thought this was the way to go actually.

I'm trying to expose my HAProxy in my homelab server via my public IP in my dedicated server, is there another way to do this ?
Logged

shadesh

  • Newbie
  • *
  • Posts: 41
  • Karma: 2
  • What?
    • View Profile
Re: NAT through wireguard tunnel
« Reply #3 on: January 05, 2024, 02:32:33 pm »
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.
Logged

sebclem

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: NAT through wireguard tunnel
« Reply #4 on: January 05, 2024, 03:02:14 pm »
Quote from: shadesh on January 05, 2024, 02:32:33 pm
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.

Oh thank you, it's working now !

I have added a outbound rules like this to only "translate" request coming from WAN:
Code: [Select]
Interface: WGS2S
Source address: ! 10.90.0.0/24, 10.101.0.0/24 (Another VPN tunnel for clients)
Destination: 10.23.0.36/32
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • [Solved] NAT through wireguard tunnel
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2