Separate WG-Server behind OPNsense - Rules & Routing

Started by Neurothiker, April 03, 2025, 04:22:03 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 03, 2025, 04:22:03 PM
Team,

I'm looking for the correct routing and ruleset for accessing an internal WG server.

The structure is as follows:

Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)

Pass rule for the WAN interface to allow connections to the Wireguard port
Firewall: Rules: WAN
    Action: Pass
    Interface: WAN / Internet?
    Direction: in
    TCP/IP version: IPv4
    Protocol: UDP
    Source: any
    Destination: Internet address
    Destination port: ppp

Port Forward rule to forward incoming connections from WAN port to the Wireguard server port
Firewall: NAT: Port Forward
    Interface: WAN / Internet?
    TCP/IP: IPv4
    Protocol: UDP
    Destination: WAN address / Internet address?
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp
 
 
Firewall: NAT: Outbound
    Interface = Internet
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = 192.168.x.11
    Source Port: ppp
    Destination: any
    Translation/target = Interface address

Where is the error or is a routing still missing?

Thank you.
April 03, 2025, 05:29:08 PM #1
Quote from: Neurothiker on April 03, 2025, 04:22:03 PMPass rule for the WAN interface to allow connections to the Wireguard port
Firewall: Rules: WAN
    Action: Pass
    Interface: WAN / Internet?
    Direction: in
    TCP/IP version: IPv4
    Protocol: UDP
    Source: any
    Destination: Internet address
    Destination port: ppp
The destination has to be the secondary routers IP 192.168.x.11, since this is what pfSense forwards the traffic to.

Why don't you just use "add associated filter rule" in Port Forwarding? Then OPNsense would create the correct rule automatically.

Quote from: Neurothiker on April 03, 2025, 04:22:03 PMFirewall: NAT: Outbound
    Interface = Internet
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = 192.168.x.11
If using automatic outbound NAT mode OPNsense should have added a rule for the source of the LAN subnet automatically. This should include 192.168.x.11.
April 03, 2025, 05:44:16 PM #2 Last Edit: April 03, 2025, 08:28:02 PM by Neurothiker
Quote from: viragomann on April 03, 2025, 05:29:08 PMWhy don't you just use "add associated filter rule" in Port Forwarding? Then OPNsense would create the correct rule automatically.


If using automatic outbound NAT mode OPNsense should have added a rule for the source of the LAN subnet automatically. This should include 192.168.x.11.

Thanks for responding.

I have now setup the Port Forwarding rule again and OPNsense created the FW-Rule WAN automitcally! - Are the rules correct?

Modem[Internet](192.168.y.1)  <->  [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1)  <->  Router(192.168.x.11)  <->  WG-Server(10.xyz.1)[PORT:ppp)
Firewall: NAT: Port Forward
    Interface: WAN / Internet?
    TCP/IP: IPv4
    Protocol: UDP
    Destination: Internet address
    Destinatoin port range: ppp
    Redirect target IP: 192.168.x.11[Router]
    Redirect target port: ppp

Firewall: Rules: WAN
    Action: Pass
    Interface: WAN / Internet?
    Direction: in
    TCP/IP version: IPv4
    Protocol: UDP
    Source: any
    Destination: 192.168.x.11[Router]
    Destination port: ppp

I activated the Hybrid mode for Firewall: NAT: Outbound and can't see an automatically generated rule...
1. Why not?
2.  If manually generated is it correct?
Firewall: NAT: Outbound
    Interface = Internet
    TCP/IP Version = IPv4
    Protocol = UDP
    Source address = 192.168.x.11
    Source Port: ppp
    Destination: any
    Translation/target = Interface address

Thanks
April 03, 2025, 08:35:38 PM #3
Are you really trying to VPN in through 3 layers of NAT? Modem + OPN + Router?

You shouldn't have to create explicit rules for outbound NAT for this scenario.
That was the 2nd part of the first reply.
I ran a simpler form of this as a test a few weeks back (edge-OPN - internal-OPN-Wireguard-Server) and I did NOT have to mess with outbound NAT on either.
April 03, 2025, 09:14:14 PM #4
Quote from: EricPerl on April 03, 2025, 08:35:38 PMAre you really trying to VPN in through 3 layers of NAT? Modem + OPN + Router?

You shouldn't have to create explicit rules for outbound NAT for this scenario.
That was the 2nd part of the first reply.
I ran a simpler form of this as a test a few weeks back (edge-OPN - internal-OPN-Wireguard-Server) and I did NOT have to mess with outbound NAT on either.


Thank you for your dedicated feedback.

Since your "solution support" is rather limited to accusations and "I solved it differently" maybe you can kindly give me specific hints on my architecture to solve my problem...I can NOT rebuild the architecture right now and I know that OPNsense provides a WG on its own.

Since I am neither a product owner of OPNsense nor a network architect, I have come to the forum in the expectation of a support with "my" problem.


Thank you
April 03, 2025, 09:23:55 PM #5
There is no "team" here. This is a community forum. Users helping but also discussing things with users. So while Eric is not offering much help, it is also his prerogative to question your general approach. If that is not changeable for reasons outside your control, just say so. I did not read his reply as particularly condescending or lecturing or some such.

I can get to writing a more helpful answer tomorrow latest, possibly tonight even, but for now I still have some work to do so please have patience.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2025, 09:31:00 PM #6
Quote from: Patrick M. Hausen on April 03, 2025, 09:23:55 PMI can get to writing a more helpful answer tomorrow latest, possibly tonight even, but for now I still have some work to do so please have patience.

Thank you for your reply.
Please take your time, I have not questioned this either!
April 03, 2025, 09:43:57 PM #7 Last Edit: April 03, 2025, 09:46:17 PM by Patrick M. Hausen
OK, that went faster than expected. So let's do some community work ;-)

Code Select
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)

1. Get the network structure and routing right - you probably did that already?

- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway

Can you ping the WG server from OPNsense? Before that works, no use doing anything else. The WG server needs a default route to that internal router. The internal router needs a default route to OPNsense.

2. Inbound port forwarding

The rules you outlined in your first post look correct - "ppp" is 51820 or similar I suppose? And make sure it's UDP!

3. Outbound NAT

OPNsense only automatically does NAT for connected networks, not for ones reached via static routes. Minor drawback.

I prefer full control and set NAT > Outbound as "manual". Hybrid is also possible, but I'll go with manual for now.

- create a firewall alias named "internal networks" or similar. Type "network(s)", add all internal networks you want NATed - that's at least 192.168.x.0/24 and 10.xyz.0/24 (?)
- create a rule: interface WAN, source "internal networks", NAT to "interface address"

4. Depending on what you want to do add your WG network

If the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.

- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT

That should do it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2025, 09:53:52 PM #8 Last Edit: April 03, 2025, 10:06:45 PM by Neurothiker
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PMOK, that went faster than expected. So let's do some community work ;-)

Code Select
Modem[Internet](192.168.y.1) <-> [WAN](192.168.y.2)OPNsense[LAN](192.168.x.1) <-> Router(192.168.x.11) <-> WG-Server(10.xyz.1)[PORT:ppp)

1. Get the network structure and routing right - you probably did that already?

- add 192.168.x.11 as a gateway in OPNsense
- add a static route for 10.xyz.0/24 (?) via that gateway

Can you ping the WG server from OPNsense?

Currently not because OPNsense Gateway can not find the WG-Server.

PING 10.xyz.1 (10.0.49.1) 56(84) bytes of data.
From OPNsense Gateway(Internet (opt3)   pppoe0) icmp_seq=1 Destination Net Unreachable

This is the situation before I will start to follow your instructions above.

Update_1:
Setup Gateway and routing --> ping works!
April 03, 2025, 10:27:04 PM #9 Last Edit: April 03, 2025, 10:34:13 PM by Neurothiker
Quote from: Patrick M. Hausen on April 03, 2025, 09:43:57 PMIf the network inside the WG tunnel should be using OPNsense for outbound Internet access etc.

- create another static route on OPNsense for the WG tunnel network via the internal router
- create a static route on the internal router for that same tunnel network pointing to the WG gateway
- add the WG tunnel network to the "internal networks" alias for NAT

That should do it.

Please excuse another question of understanding:

The WG server has already had 7 clients set up from the past.
What exactly may I understand by your instructions, please:
- create another static route on OPNsense for the WG tunnel network via the internal router
                  - add 192.168.x.11 as a gateway in OPNsense
                  - add a static route for 10.xyz.0/24 (?) via that gateway
          --> ins't it the same???
- create a static route on the internal router for that same tunnel network pointing to the WG gateway - I sould setup WGServer (49.xyz as Gateway as well???)
- add the WG tunnel network to the "internal networks" alias for NAT

Thanks you
April 03, 2025, 10:32:31 PM #10
Those clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2025, 10:35:35 PM #11
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.

OK, of course there are the client-IPs...for each client-IP a route?!
April 03, 2025, 10:54:34 PM #12 Last Edit: April 03, 2025, 11:00:10 PM by Neurothiker
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.
The old setup of WG server and client still established.
WG-Server: 10.xyz.1/24, DNS is the current internal router.

Did it. All client-IPs have now routes to internal router(192.xyz.11)

"- create a static route on the internal router for that same tunnel network pointing to the WG gateway"
I didn't setup a WG gateway in OPNsense or does it meant to setup internal router to WG 10.xyz.1/24?
April 03, 2025, 10:58:11 PM #13
Quote from: Neurothiker on April 03, 2025, 10:35:35 PM
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.

OK, of course there are the client-IPs...for each client-IP a route?!

Just one route for the entire /24. Not each client individually.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2025, 11:01:49 PM #14
Quote from: Neurothiker on April 03, 2025, 10:54:34 PM
Quote from: Patrick M. Hausen on April 03, 2025, 10:32:31 PMThose clients have IP addresses in WireGuard that are probably not mentioned in your first diagram. OPNsense needs to know about that network, too. Unless the WG server performs NAT for the clients dialling in.

Did it. All client-IPs have now routes to internal router(192.xyz.11)

"- create a static route on the internal router for that same tunnel network pointing to the WG gateway"
I didn't setup a WG gateway in OPNsense or does it meant to setup internal router to WG 10.xyz.1/24?

Gateways are always locally connected. OPNsense needs routes to the WG gateway network (10.something) and the WG tunnel network with the clients. Both routes pointing to that .11 router connected to OPNsense.

That router in turn needs to know about the tunnel/client network.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2
User actions