topic Re: Wireguard VPN inaccessible from WAN in Network Security

Wireguard VPN inaccessible from WAN

Exor — Fri, 07 Jul 2023 20:15:45 GMT

Hello everyone,

I made a Wireguard VPN server in Proxmox with no internal firewall. Our firewall is Cisco Firepower 1120 which manages all the aspects.

I have tested connecting to VPN server from within LAN and it worked but no internet access, I added iptables and now it's working. So, I know VPN server is working. I am still not able to connect to the VPN server from outside of LAN. Wireguard is not able to handshake with the server.

This might be ip/port forwarding issue. I may be missing something. I have the following set up already below. Let me know if I am missing something? Any help is appreciated!

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Sat, 08 Jul 2023 07:05:01 GMT

simple topology can help me here,
you config Server INside, the client of Server INside or OUTside ?

Re: Wireguard VPN inaccessible from WAN

Aref Alsouqi — Sun, 09 Jul 2023 23:14:30 GMT

What that VPN port is? Did you make sure that the firewall itself is not running any VPN services on the same port? Not sure if the firewall would return any error in that case when you try to configure the NAT rule.

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 12:40:38 GMT

Server is inside and client is outside. This is not working.

Server is inside and client is inside (using local ip). VPN is working

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 12:49:28 GMT

VPN port is 51820. Firepower is not running any VPN services; we do not have license for it which is why I am testing Wireguard VPN server instead. I can confirm there is no duplicate port being used in Firepower's ports list.

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Mon, 10 Jul 2023 12:50:53 GMT

Server INside Client OUTside not working
you need
static NATing for Private Server IP to FPR OUTside public IP for specific Port (port Server use), did you add this NATing rule ?

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 12:55:18 GMT

Yes, I have added the NAT rule mentioned in my original post, there is a snip of it. Is there anything I am missing in the NAT rule?

Re: Wireguard VPN inaccessible from WAN

Aref Alsouqi — Mon, 10 Jul 2023 13:02:08 GMT

I don't see anything wrong with your NAT or security rule, assuming the VPN-Server IP is configured with the real private IP address of the server. Could it be a block on the ISP router? do you know if NAT'ing is applied to their device? if so, then that should be disabled and the NAT should only be on the firewall, or the NAT on the firewall should be turned off and configured on the ISP router. Also, if you run packet capture on the firewall outside interface for any traffic destined to port 51820, do you see any traffic?

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Mon, 10 Jul 2023 13:11:09 GMT

port, you need to specify port, that what missing in your NAT

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 13:31:45 GMT

The Source Port is set to VPN which I created is set to 51820 as mentioned in the snip. If that's not what you are talking about, please let me know.

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 13:36:44 GMT

Yes, the VPN-Server is set to 192.168.1.158 which is a local IP. I have tried to look into capture but found this instead:

translate_hits = 4567, untranslate_hits = 4317
10 (inside) to (outside) source static VPN-Server interface service _|NatOrigSvc_711a30b9-1cc9-11ee-a336-17761654d6de _|NatMappedSvc_711a30b9-1cc9-11ee-a336-1776165
4d6de

Not sure if this is something. Seems to be showing that the NAT is getting hit.

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Mon, 10 Jul 2023 13:51:59 GMT

in advance of NAT edit
there is route-lookup option ? if yes enable it.

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 14:03:36 GMT

I tried to enable it but I received this error:

You cannot select the Perform Route Lookup option if you select interface for translated source

The Perform Route Lookup option is available for identity NAT only. The original and translated source networks must be identical to use the option.

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Mon, 10 Jul 2023 14:11:34 GMT

how many public IP you beside the OUTside public IP ?

Re: Wireguard VPN inaccessible from WAN

Exor — Mon, 10 Jul 2023 14:12:59 GMT

We have only one public IP.

Re: Wireguard VPN inaccessible from WAN

MHM Cisco World — Mon, 10 Jul 2023 14:22:11 GMT

can you share packet tracer you test

Re: Wireguard VPN inaccessible from WAN

Aref Alsouqi — Tue, 11 Jul 2023 07:16:54 GMT

Yes that shows the NAT hits, but I would try to run packet capture on the outside interface with the command "cap < name > interface outside match tcp any host < the outside interface IP> eq 51820". If that port is a UDP port then please change the tcp keyword on the capture command to udp. Also, as you don't have any hits on the security rule you created, I'm wondering if there is any security policy above that one that is denying the traffic coming from the outside towards the server, worth checking.