Unbound wireguard client to openvpn

[systeme]

Hi,

I have a problem and can´t find any solutions.

Client Wireguard (Instance : 172.17.32.193/28) -------> Opnsense (LAN : 172.19.1.0/24) -------> OpenVPN (Tunnel Network : 172.28.0.0/16)

Part of my setup:

- 2x WAN
- IPSEC Connections (new method)
- WireGuard with multiple interfaces
- Wireguard Interface Rules has a ANY rule WG0  (used for my test)
- VPN > OpenVPN > Servers (Legacy)

OpenVPN configuration :
Tunnel Network : 172.28.0.0/16
Local Nets : 172.19.1.0/24

The connection is present (VIP : 172.28.0.6) and I have an "OK" status in "Connection Status".

Since Opnsense to VIP (OpenVPN) :
The ping is OK from Opnsense without specifying a source.
The ping is OK when specifying 172.19.1.253 (GW LAN) as the source.

Since WG Client to VIP (OpenVPN)  :
The ping is KO, and does not go through the WG tunnel.
I tried to create a SNAT rule (Firewall > Automation > Source NAT) specifying 172.19.1.253 as the translation address, but there seems to be a route problem.

How can I specify that the OPNsense needs the Wireguard Net as additional local network on the OpenVPN connection?

Thank you in advance for your help.

[Patrick M. Hausen]

Just add it to the "Local Nets" field of the OpenVPN configuration. You can specify as many networks in there as necessary.

[systeme]

Thank you for your reply, unfortunately I had already tried it and I've just done it, but it doesn't change anything.

For IPSec I had the same problem, which was solved by mentioning my WG instance in the SPD section and creating an entry in SNAT using the IP of my gateway on the LAN side for translation.

https://forum.opnsense.org/index.php?topic=41108.msg201474#msg201474

[Patrick M. Hausen]

OpenVPN and IPsec work completely differently in that  aspect.

What's in "AllowedIPs" in the WireGuard client settings?

[systeme]

Unique tunnel IP address WG, IPsec network and I have add the  "Tunnel Network"  OpenVPN.

[Patrick M. Hausen]

Then use tcpdump to trace the packets as they enter through one tunnel and watch where they leave ...

[systeme]

The ping from my WG peer doesn't go out and goes through my local IP instead of through the WG tunnel. If I force the ping on the WG tunnel interface, it doesn't work either.
So no packet received on my host with the OpenVPN client (during tcpdump).
However, I can ping the WG peer from the OpenVPN client...

Does anyone have any ideas? Thanks in advance.

[Patrick M. Hausen]

The ping from my WG peer doesn't go out and goes through my local IP instead of through the WG tunnel.

Double check if the destination IP is really part of the AllowedIPs on that end of the tunnel. Check the routing table. Type e.g. "wg" and check the output.

[systeme]

I have 2 opnsense (primary and slave) where this tunnel appears, but a different IP range for the "Virtual Network".
When I check with the keyword "wg" (primary), the route 172.28.0.0/16 is not listed, but my secondary's route 172.29.0.0/16 is.

What I can't explain?

So I disabled the tunnel on the secondary and took its IP range 172.29.0.0/16 (Virtual Network) and put it on the primary.
The 172.29.0.0/16 range is indeed listed as "Allowed Address" on the WG side.

The ping from my WG peer comes out fine this time through the WG tunnel, so there's an improvement.
Since it goes through the tunnel, the ping appears in the Live View and is in "pass" status when I filter the Virtual IP of my OpenVPN client (172.29.0.6).
However, it doesn't reach the destination. I'm still looking for a solution.

Thanks for any help