Re: Wireguard VPN inaccessible from WAN

Exor · ‎07-07-2023

Hello everyone,

I made a Wireguard VPN server in Proxmox with no internal firewall. Our firewall is Cisco Firepower 1120 which manages all the aspects.

I have tested connecting to VPN server from within LAN and it worked but no internet access, I added iptables and now it's working. So, I know VPN server is working. I am still not able to connect to the VPN server from outside of LAN. Wireguard is not able to handshake with the server.

This might be ip/port forwarding issue. I may be missing something. I have the following set up already below. Let me know if I am missing something? Any help is appreciated!

MHM Cisco World · ‎07-08-2023

simple topology can help me here,
you config Server INside, the client of Server INside or OUTside ?

Exor · ‎07-10-2023

Server is inside and client is outside. This is not working.

Server is inside and client is inside (using local ip). VPN is working

MHM Cisco World · ‎07-10-2023

Server INside Client OUTside not working
you need
static NATing for Private Server IP to FPR OUTside public IP for specific Port (port Server use), did you add this NATing rule ?

Exor · ‎07-10-2023

Yes, I have added the NAT rule mentioned in my original post, there is a snip of it. Is there anything I am missing in the NAT rule?

Aref Alsouqi · ‎07-10-2023

I don't see anything wrong with your NAT or security rule, assuming the VPN-Server IP is configured with the real private IP address of the server. Could it be a block on the ISP router? do you know if NAT'ing is applied to their device? if so, then that should be disabled and the NAT should only be on the firewall, or the NAT on the firewall should be turned off and configured on the ISP router. Also, if you run packet capture on the firewall outside interface for any traffic destined to port 51820, do you see any traffic?

Exor · ‎07-10-2023

Yes, the VPN-Server is set to 192.168.1.158 which is a local IP. I have tried to look into capture but found this instead:

translate_hits = 4567, untranslate_hits = 4317
10 (inside) to (outside) source static VPN-Server interface service _|NatOrigSvc_711a30b9-1cc9-11ee-a336-17761654d6de _|NatMappedSvc_711a30b9-1cc9-11ee-a336-1776165
4d6de

Not sure if this is something. Seems to be showing that the NAT is getting hit.

Aref Alsouqi · ‎07-11-2023

Yes that shows the NAT hits, but I would try to run packet capture on the outside interface with the command "cap < name > interface outside match tcp any host < the outside interface IP> eq 51820". If that port is a UDP port then please change the tcp keyword on the capture command to udp. Also, as you don't have any hits on the security rule you created, I'm wondering if there is any security policy above that one that is denying the traffic coming from the outside towards the server, worth checking.

MHM Cisco World · ‎07-10-2023

port, you need to specify port, that what missing in your NAT

Exor · ‎07-10-2023

The Source Port is set to VPN which I created is set to 51820 as mentioned in the snip. If that's not what you are talking about, please let me know.

MHM Cisco World · ‎07-10-2023

in advance of NAT edit
there is route-lookup option ? if yes enable it.

Exor · ‎07-10-2023

I tried to enable it but I received this error:

You cannot select the Perform Route Lookup option if you select interface for translated source

The Perform Route Lookup option is available for identity NAT only. The original and translated source networks must be identical to use the option.

MHM Cisco World · ‎07-10-2023

how many public IP you beside the OUTside public IP ?

Exor · ‎07-10-2023

We have only one public IP.

MHM Cisco World · ‎07-10-2023

can you share packet tracer you test