Routing internet traffic over WG to a different firewall

Jesper 1

Hi Guys.

I have two firewalls connected together with a Wireguard tunnel. Lets call them A and B.

On A, I have an openvpn server. What I would like to acheive is that a client that is logged in to that openvpn server gets the WAN adress of firewall B.

What I have done is that I have created a rule allowing to any on that interface, and changed the gateway on the rule to the wireguard gateway.

There is no problem accessing firewall B or any of it's connected networks, it is just accessing the internet that is not working.

Trying to ping 1.1.1.1 or something while logged into the VPN gives destination host unreachable. Running a package capture shows the traffic on the wireguard interface on firewall A, but running the same test on that interface on firewall B shows no traffic. So it seems that the traffic does not go through the tunnel at all. I have also tried to log the traffic, and in the firewall log, it is tagged as allowed on firewall A.

Anyone got any ideas?

jlw52761

@jesper-1 On my IPSeC tunnels, for the firewall that is the hub, which I think is firewall B in your case, is to configure hybrid outbound NAT and manually add the NAT rule(s) for the networks behind firewall A to NAT through the WAN interface of firewall B.

Jesper 1

@jlw52761 Hi and thanks for your reply.

I already have an outbound NAT rule on firewall B for the subnet that the client gets when logged in to the openvpn server like this:

Interface: WAN
Source - Network 10.10.50.0/24
Destination: Any

On Firewall A (the one with the openvpn server) there are no outbound NAT rules, but maybe there should be?

viragomann

@Jesper-1
Did you set the "allowed IPs" in the peer to pass any?

Jesper 1

@viragomann
The 10.10.50.0/24 subnet is added to firewall Bs peer list. But I don't see any option to select Any, it's just a list of subnets that is allowed through the peer.

viragomann

@Jesper-1
State "0.0.0.0/0" (= any) to make WG accept the forwarded access from public sources.

Jesper 1

@viragomann
Is that really correct? My interpretation of what I put in the Firewall B peer allowed IP list, is the source list of subnets that I allow from Firewall A.

Would not putting 0.0.0.0 there only mean that I allow everything from the source?

I'm leaning more towards that this is about a routing problem on firewall A. Looking at the routing table, there is no route for the packages to get to firewall B. And I don't know how to set up a static route, since I can only have one default route right?

viragomann

@Jesper-1
Oh! I think, I've mixed some threads. I reread your intention now.
You only want to pass the OpenVPN clients to B.
So it should be sufficient to have the OpenVPN tunnel network in the allowed IPs at B.
Presumably this is 10.10.50.0/24, which you said, you have this set already. So I'd expect that the packets are passed.

Bob.Dig

@Jesper-1 0.0.0.0/0 in the a config I think.

Jesper 1

@viragomann No problem. Do you think there is a way to solve this? Like how do I make a route on A to get all internet traffic to get routed via B? Maybe it's something in the openvpn config? As in a push route or so in the client specific overrides? Maybe I could somehow push a default route there?

viragomann

@Jesper-1
In the OpenVPN config you can only set "Redirect gateway", but I guess, this is done already.

To route the traffic, you need a policy routing rule on the OpenVPN interface with the remote WG endpoint as gateway.

And If the VPN tunnel is added to the "allowed networks" in the WG settings at B, I'd expect that you see the packets from the VPN clients at the WG interface then.

Jesper 1

@viragomann
Yes that's what I'd expect as well :)

I have done all of this, the packages never reaches the other side of the WG tunnel.