Wireguard site to site where one site is behind a double NAT?
-
Hi,
Since Wireguard is simpler to set up, I thought I would try that for my first site to site VPN.However, I could use some guidance on my particular setup before I fail at it.
Both sites have pfsense firewalls I control, but at the remote site the pfsense is in another business' network behind whatever firewall they have, it's just another DHCP client. So the PC I am adding there is double-NATed.
So, at HQ the internal network is 10.0.0.0/16 and traffic is NATed out to a static IP, let's say 111.111.111.111, which is the WAN interface address.
I would use 172.16.0.0/31 for the tunnel.
The WAN at the remote site is also static, let's say 222.222.222.222, the WAN of a router I do not control, My other pfsense firewall's WAN is at 192.1.68.30.0/24 behind that, in its own VLAN,, at 192.168.30.100 on its WAN interface, and finally the machines I want to reach are on the LAN side of that firewall, in 192.168.125.0/24.I have no idea what IP to assign as the WAN ip for the Wireguard setup at the remote site. No examples I can find deal with this. Does it even matter? And do I have to do any specific routing settings to get it going?
Thanks. These netgate machines have made life a lot easier, but I am very cautious about making changes without clear precedents to follow.
-
@SteveO If you can only open up a port (for WireGuard) on one side than you have to make the connection from the other side. Use Keep Alive and make the "unreachable" one a Dynamic Endpoint.
Nothing special if you ask me. -
@Bob-Dig That fixed it, thank you so much for your help. You are right, I was not thinking about this properly.
Steve
