I am ok with using linux, most of my networking is done through PFsense. and have been hitting my head against this wall for most of the day
At home I have a dynamic IP and would like a static IP for a few projects so I have set up a Wireguard server in Linode with a static IP. For outgoing connections from my network to websites this works wonderfully.
My issue is with incoming connections I have a few services which I would like to leave with a static IP and I cannot for the life of me find a solution to do the below
Wireguard server > PFsense > webserver
I have tested from PFsense to the web server and that works but I can’t seem to get the traffic from Wireguard to PFsense.
Does anyone have any experience with this kind of config?
… so, it’s kind of hard to tell without more info… people commonly forget what gets routed are packets not connections… and connections require packets going in both directions.
if you curl -v --connect-to www.mywebsite.com:443:123.123.123.123:443 https://www.mywebsite.com
where 123.123.123.123 is your public linode ip
You can then run tcpdump on Linode and/or on pfSense to check your port forwarding and firewall rules - and see where the packets are getting lost.
If your reply packets aren’t going over wireguard towards linode, then it’s likely that you’re not marking connections in pfSense propertly on ingress, and so reply packets are just getting NAT-ed to your isp provided IP address and are getting dropped before reaching linode.
(anyway, that’s my guess, … please test what happens with the initial SYN / SYN,ACK packets, and make sure they’re traveling along expected links)
For this to work, you’ll need to do some stuff manually.
First make sure to be able to access your webserver from within your Linode by allowing access to the server on the wireguard VPN and the firewall part of psense.
Then you need to add a masquerade / port forward option for anything that comes in on port 80 and 443. That you can do with iptables and the preup part of the wireguard config on the server. Hope this gives you a small outline of what to do!
Ok sharing my config below im trying to test with my plex server just want to verify this end is set up correctly first
plex server is at 10.0.6.7 on my local network
this wireguard connection is set up as gateway on my pfsense router with the gateway ip of 10.1.0.2 and this is set up to forward traffic to the plex server like with my normal plex forwarding rule.
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
right underneath the line above, and restart wireguard on Linode.
Do you happen to have any firewall rules left over that prevent traffic to/from private IP address ranges in pfSense. IIRC it comes with some rfc1918 bogon filters in the default install
I could but I would prefer this connection to function like an internet connection where the traffic comes into PFsense and that does the internal routing of the traffic.