[SOLVED] Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site

ogghi · Aug 23, 2024, 8:15 AM

Hi there,

posting here, as on Reddit threads are easily lost after 1 day or so.
Following setup:

Site 1:
172.16.0.0/21 LAN network
WG tunnel with 10.230.0.0/31 as interface

Site 2:
172.16.8.0/21 LAN network
WG tunnel with 10.230.0.1/31 as interface

Tunnel works mostly just fine, but:
A VoIP phone in 172.16.8.0/21 subnet shows up as 10.230.0.1 on the Mitel PBX located in 172.16.0.0/21 subnet.

At the same time a traceroute with tcp does look like this:

traceroute server02
traceroute to server02 (172.16.8.13), 30 hops max, 60 byte packets
 1  vm12.domain.local (172.16.0.1)  0.297 ms  0.286 ms  0.278 ms
 2  10.230.0.1 (10.230.0.1)  0.987 ms  0.980 ms  0.974 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *

Same for UDP

Only ICMP is fine:

traceroute -I server02
traceroute to server02 (172.16.8.13), 30 hops max, 60 byte packets
 1  vm12.domain.local (172.16.0.1)  0.256 ms  0.241 ms  0.223 ms
 2  10.230.0.1 (10.230.0.1)  0.712 ms  0.708 ms  0.705 ms
 3  172.16.8.13 (172.16.8.13)  1.756 ms  1.755 ms  1.850 ms

Am I missing a simple thing here?

Bob.Dig · Aug 23, 2024, 8:40 AM

@ogghi Not looked to much in your post but are both sites pfSenses? Because most other stuff doesn't like /31, use /30 instead. Do you NAT and don't want to?

ogghi · Aug 23, 2024, 8:48 AM

@Bob-Dig
Thanks for the quick reply!

Both sites are pfSense indeed.

Yes, seems it NATs even if I don't want it to.

Fun thing: there is another WG tunnel from main site to another remote site same config, it works fine.

Bob.Dig · Aug 23, 2024, 8:54 AM

@ogghi Making a no-NAT rule in hybrid-mode in the outbound-NAT section would be one way to tackle this. It is up to you to configure things the right way. Or don't select a gateway in the interface config screen of that wireguard interface would be another.

ogghi · Aug 23, 2024, 9:01 AM

@Bob-Dig Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?
If, then it should be unselected on both sites' WG interface config right?

Bob.Dig · Aug 23, 2024, 9:09 AM

@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:

Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?

No. Just remove them there on both sides and you will see that there is no more NAT done. You can keep the gateways, just don't put them in the interface config as upstream gateways.

Bob.Dig · Aug 23, 2024, 9:27 AM

@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:

Wouldn't removing the GW in the WG interface config have it use the default GW, which is WAN?

Ok, to be more precise, that will happen if you have internet traffic (any) as source incoming on that wireguard-interface. If this is the case, then you have to have the gateway as an upstream gateway on that interface. If you don't want NAT, then you have to create the no-NAT rule (in hybrid-Mode) yourself.

ogghi · Aug 23, 2024, 9:15 AM

@Bob-Dig Just tried and there were issues accessing some things via web interface, so reverted to those interfaces having an upstream gateway.

Will look up the no-NAT thing after lunch break!
Thanks

ogghi · Aug 23, 2024, 10:11 AM

@Bob-Dig Before I apply the noNAT rule on site2:
As there is a staic route for 172.16.0.0/21 to use the WG GW, I can basically set it like this?

Then any traffic from LAN network (172.16.8.0/21) going to WG interface should have NAT disabled, right?

Bob.Dig · Aug 23, 2024, 10:17 AM

@ogghi Right. But try any if you don't want to NAT in general.

ogghi · Aug 23, 2024, 10:32 AM

@Bob-Dig I tried, it breaks connection, for example I coudn't SSH to a host on site2 anymore!
Are there any possible issues with automatically created NAT rules?
Site2

Site1

Bob.Dig · Aug 23, 2024, 10:43 AM

@ogghi said in Wireguard site2site NAT / IP of tunnel shown instead of real IP on from other site:

for example I coudn't SSH to a host on site2 anymore!

Ok, why is that? Maybe that host only allows access from local subnets?

Are there any possible issues with automatically created NAT rules?

See for yourself. Basically everything is NATed.

There is not more I can tell you.

ogghi · Aug 23, 2024, 10:47 AM

@Bob-Dig
There is no IP limitation on that host, also as soon as I disabled the NAT I loose connection to other hosts, SNMP checks failing, or even web access to some host.

Those NAT rules are automatic and can't be disabled.

Maybe somebody else has an idea?

Many thanks for the input though!

ogghi · Aug 23, 2024, 11:41 AM

@ogghi other thing that shows there is NAT where it shouldn't be:
On site 1 I have an internal speedtest ( https://github.com/librespeed/speedtest )
When I open the browser from site 2 it shows the tunnel IP of site 2 instead of the local IP I have with my laptop being in site 2...

ogghi · Aug 23, 2024, 12:17 PM

@ogghi Sorry for the spam!
It works just fine now.
I had to remove the upstream gateway from the 2 tunnel interfaces on each site and then it started...