NAT issues with wireguard and 25.1

Started by bobert, February 06, 2025, 09:12:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2025, 09:12:47 PM
I'm experiencing an issue after updating to OPNsense 25.1, regarding external access to services through a WireGuard tunnel. I'm using Private Internet Access (PIA) and rely on their port forwarding feature.

Before the update, everything worked flawlessly. I use a script (https://github.com/FingerlessGlov3s/OPNsensePIAWireguard) to manage the WireGuard tunnel, automatically retrieve the assigned forwarded port from PIA, and dynamically configure the OPNsense firewall rules.

My primary issue is that Plex, which requires external access via the forwarded port from PIA, is no longer accessible. The script still appears to be functioning correctly: the tunnel establishes, the port is retrieved from PIA, and my NAT rule is in place to forward traffic on that port from the WireGuard interface (wg2) to my Plex server.

To troubleshoot, I've taken several steps to isolate the problem:

Replaced Plex with a Minimal Webserver: I set up a simple webserver and created a new NAT rule. I can see connections hitting the firewall logs on OPNsense, confirming that traffic is arriving at the correct port and being processed by the NAT rule. However, the webserver page fails to load in my client's browser. It just shows "site cannot be reached" or a similar error.

Confirmed Tunnel Integrity: The WireGuard tunnel itself seems stable, as other services that don't rely on port forwarding from PIA are working without issue. This suggests the core WireGuard connection is healthy.

Verified Firewall and NAT Rule Activity: As additional context, I've included screenshots of my NAT rule and the corresponding allow rule on the WireGuard interface. I've confirmed that both rules are active.

I have also included pictures of the firewall logs showing the incoming connection and it being redirected to the right ip/port.

I've captured packet traces on my WireGuard interface.  These packet traces show that the TCP SYN packets from the external client reach the firewall via the WireGuard interface. However, despite this, a TCP connection cannot be established.

I've performed a rollback to OPNsense 24.7, and the issue is immediately resolved. After confirming functionality in 24.7, I re-upgraded to 25.1, and the problem reappears.

I'm including these sanitized packet traces and screenshots to provide as much detail as possible.


Print
Go Up Pages1
User actions