Wireguard wrt NAT.

Started by Noci, August 12, 2025, 04:27:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 12, 2025, 04:27:33 PM Last Edit: August 12, 2025, 04:43:12 PM by Noci
Appearantly something changed in the routing / sourceNAT ruling wrt. Wireguard upgrading from 25.1.11 -> 25.7.1-1

Before all access worked from tunnelled devices. (Mobile Phone, Tablets, Boat).
The tunnel spec on all devices  is from a local address -> 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
So all internet access runs over the tunnels for the mobile equipment.

After upgrade: all access to local resources work,
A lot of access to remote resources fails (appearently not all, have not found out which exactly...,
in broad groups: web access does (HTTP, HTTPS)  seem to work, where  IMAPS definitely fails.

I have several groups, relevant here are:
LAN  (LAN, Wireless, Wireguard tunnel 1)
GUEST ( Wireless, Wireguard tunnel 2)
Those are all separate LAN's (VLANid, Network range).

All traffic from LAN, Wireless LAN, Wireless GUEST works.
Traffic from WireGuardTunnel1, Wireguard Tunnel 2 fail on outgoing Connections for NAT.
All traffic to local resources does work throught the wireguard tunnels.
As Phones have limited testing support i can only test using WEB access (Browsing) and IMAP access (mail client).
on outgoing NAT.
WEB access does work to several sites.

Outgoing traffic is sent over the WAN interface with the source address of the Mobile Device tunnel address in the failing case.
No NAT for (at least) port 993 (IMAPS) on an internet server, from mobile, over Wireguard -> OpnSense FW -> Internet.

Did anything change with respect to routing, NAT rules around Wireguard?
Wireguard tunnels groups ARE mentions in the rules @ Firewall/NAT/outgoing
August 14, 2025, 10:30:20 AM #1
Possibly related to #7148 and #6909?
August 21, 2025, 10:23:05 PM #2 Last Edit: August 22, 2025, 01:32:40 PM by Noci
looks like 6909...,   the system told me after upgrading and waiting for 2 days that it wasn't done booting..., so i restart a bunch of services until the message went away it started working.
(AFAICT, there were no services "not started")
August 21, 2025, 11:07:08 PM #3 Last Edit: August 26, 2025, 11:02:27 AM by Noci
To confirm #6909 : After reboot all wireguard tunnels fail, after disable/enable of  all tunnels they work again.
presumably something is started AFTER wireguard starts that interferes with the wireguard rules.

BTW after a few days the tunnels start failing again.

Workaround, add a cronjob to regularly restart wireguard.  Seems to hold for now :-(
Print
Go Up Pages1
User actions