undesired NAT translation over wireguard tunnel
-
In typical fashion, once I typed out my question I saw the problem "0.0.0.0/0"
For anyone else with this problem:
In contrast to OpenVPN, when I entered the destination networks for each peer in wireguard, the route was not automatically created in the pfsense routing table. That's a good thing since I am using policy based routing. I assumed it would be the same as openvpn.
-
-
I have the same issue. On the remote site the IP hitting the firewall is the tunnel IP of originating site.
Should we adjust the outgoing NAT settings?
edit:
I was tweaking outbound NAT and got it to not translate the LAN ip to tunnel IP for wireguard link.
Make sure no outbound NAT is set on the Wireguard interface.
Create a outbound NAT on WAN (that wireguard uses to connect to remote tunnel) source IP set as subnet of your wireguard network and use interface address. -
Actually I don’t think you even need the wireguard ip subnet in NAT.
I just deleted that NAT and still have connection to peer along with local LAN ip showing on remote site states table. -
@dcgibby looks like you found the fix. You don’t NAT the near side through the WireGuard interface. Set your static routes, set up your policy routing, and PfSense does the rest. I had this issue/misunderstanding early on as well.
-
If you have automatic outbound NAT it adds the wireguard interface and it looks like all “Allowed IPs” entered for peers are included as sources of outbound NAT.
Thus it looks like accessing those remote IPs via wireguard will cause a NAT and stick you with your local wireguard IP as source on remote.So you need to do manual outbound NAT and remove the wireguard interface and “Allowed IPs” from source IP on WAN.
Since the wireguard tunnel is setup over the WAN, I don’t want/need to NAT the peer links over the internal wireguard subnet.
-
@dcgibby my setup is site-to-site so everything in wireguard tunnel is internal.
If you want to access the internet via the wireguard tunnel to remote site, then you would need a proper outbound NAT setup. -
@dcgibby that’s as simple as an outbound NAT rule on the remote WAN interface for your near side LAN subnet. Works like a charm for me for Netflix etc and getting around geo blocks while I travel overseas. I haven’t had automatic NAT rules forever due to all my VPN hocus pocus.
-
@dcgibby said in undesired NAT translation over wireguard tunnel:
So you need to do manual outbound NAT and remove the wireguard interface and “Allowed IPs” from source IP on WAN.
This sounds like a bug since VTI and OpenVPN Do not perform like this. Do you know if there is an issue somewhere to track this?
-
Ahhh! This explains so much!
I had tried to copy my existing rules across from IPSEC tunnels to Wireguard and it just wasn't working like I expected.
I hadn't considered the gateway interface was doing NAT - make sense I guess when you think about it. Switching to Manual Outbound NAT and then disabling the WireGuard interface fixed it.
This really gets pretty messy when you're doing multiple site to site IPSEC migrations to wireguard (I was having poor performance using IPSEC / Starlink for what ever reason - Wireguard just seemed to work)
Can anyone recommend a pfsense / Wireguard guru that would we available to look over a proposed setup and provide best practice? Happy to pay - Id rather do it once correctly than introduce unnecessary workarounds and fixes to get it going. approx 20 sites, DC, Azure (pfsense)