Cannot get x-forwarded-for Wireguard client ip from LAN.

[shadowv3]

I have a web server and a VPN with WireGuard. The configuration is as follows. The issue is that from the web server (10.4.250.1), I see '10.0.0.4' (internal WAN IP) and I should be able to see '10.0.2.11'. How can I achieve this?

Thank you!

[Monviech (Cedrik)]

WireGuard doesn't rewrite HTTP Headers. For header rewrites you need a reverse proxy most of the time.

You should give some more information about your setup and what you expect.

[shadowv3]

Sure, what I need is to be able to audit the external IPs (WAN-Internet or WAN-Wireguard) making requests on the web server. For this purpose, I need the web server (LAN - 10.4.250.1) to recognize that the request is coming from the Wireguard client (10.0.2.11) rather than the WAN interface of OpnSense (10.0.0.4). The base configuration of OpnSense is built upon the OpnAzure project (https://github.com/dmauser/opnazure). Perhaps something like IP Forwarding is needed? I'm not sure.

Subnets:
- 10.0.0.4 (WAN - Untrusted)
- 10.0.1.4 (WAN - Trusted)
- 10.0.2.0/24 (Wireguard network)
- 10.4.0.0/16 (Services network)

I can access the Wireguard client 10.0.2.11 correctly from 10.4.0.0/16, and from this client, I can also access the service subnet (10.4.0.0/16) correctly.

Many thanks!

[Monviech (Cedrik)]

I'm still not sure I understand it correctly, but you might need a policy based VPN for that.

Right now, wireguard is run in routed mode. But you can also run wireguard without a transfer network to directly connect two networks with each other.

You do that by not specifying a "Tunnel Address" in "Instances" on both sides, and in "Allowed IPs" use only the networks that should be routed through this tunnel. (Imagine IPsec Policy Based VPN)