[Solved] NAT through wireguard tunnel

Started by sebclem, January 05, 2024, 11:09:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 05, 2024, 11:09:52 AM Last Edit: January 05, 2024, 03:02:57 PM by sebclem
Ok so, I'm having issues with my setup, this is some context:
I have my homelab with a 4G router, so no static public IP.
But I rent a dedicated server with 2 public IP.
I have a Site2Site Wireguard setup that work perfectly.

This is a quick summary of my network:
Code Select

10.23.0.0/24 : Homelab
10.100.0.0/24: Wireguard Tunel
10.90.0.0/24 : Dedicated server

The issues start now:
I have created a NAT rule on the WAN address in my dedicated server:
Code Select

Interface: WAN
...
Destination: 178.xx.251.xx (My second public configured as Virtual IP)
Dest ports: 80,443
Redirect target IP: 10.23.0.36 (My HAProxy on my Homelab network)
...


But this seams to not work, I get a time out.
After some debug with packet capture, it seams that my HAproxy VM try to reply using the WAN of my homelab instead to go through the Wireguard tunnel.
Is there any way to prevent that ?
January 05, 2024, 01:08:35 PM #1
Quote from: sebclem on January 05, 2024, 11:09:52 AM
I have created a NAT rule on the WAN address in my dedicated server:

Why?
January 05, 2024, 02:16:06 PM #2
I thought this was the way to go actually.

I'm trying to expose my HAProxy in my homelab server via my public IP in my dedicated server, is there another way to do this ?
January 05, 2024, 02:32:33 PM #3
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.
January 05, 2024, 03:02:14 PM #4
Quote from: shadesh on January 05, 2024, 02:32:33 PM
Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.

Oh thank you, it's working now !

I have added a outbound rules like this to only "translate" request coming from WAN:
Code Select

Interface: WGS2S
Source address: ! 10.90.0.0/24, 10.101.0.0/24 (Another VPN tunnel for clients)
Destination: 10.23.0.36/32
Print
Go Up Pages1
User actions