Wireguard on Virtual IP (Static block)

Started by fakebizprez, September 16, 2025, 11:23:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 16, 2025, 11:23:27 AM
I run a WireGuard VPN server via the OPNsense plugin. It works fine when listening on the main WAN IP (XXX.XXX.1.106). Recently I tried to move WireGuard over to one of my VIPs (XXX.XXX.130.203) so that it uses that public IP. After making this change, clients can no longer complete a handshake.

Current setup:
   •   VIP XXX.XXX.130.203 is added on WAN.
   •   Outbound NAT forces the WG tunnel network (10.50.50.0/24) to egress via XXX.XXX.130.203.
   •   Client endpoint updated to XXX.XXX.130.203:51820.
        •       Screenshots attached of firewall rules.

Example of Client Config:

Code Select
Name
linehaulVPN

Addresses
10.50.50.6/32
DNS servers
192.168.128.4

Peer
Allowed IPs
0.0.0.0/0, ::/0
Endpoint
XXX.XXX.130.203:51820
Persistent keepalive
every 25 seconds

Questions:
   1.   Do I need to enable service binding on the VIP for WireGuard to listen properly?
   2.   Do I need NAT:One-to-One in this case, or is that only for forwarding a public IP to an internal host?

Any guidance or examples would be appreciated.

If you see anything in my configuration that needs to be adjusted please shout it out.
Founder & President of linehaul.ai - a logistics and technology services provider.
September 17, 2025, 03:08:26 AM #1
Shameless bump. Really could use some help on this.
Founder & President of linehaul.ai - a logistics and technology services provider.
Print
Go Up Pages1
User actions