cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2483
Views
2
Helpful
16
Replies

Wireguard VPN inaccessible from WAN

Exor
Level 1
Level 1

Hello everyone,

I made a Wireguard VPN server in Proxmox with no internal firewall. Our firewall is Cisco Firepower 1120 which manages all the aspects.

I have tested connecting to VPN server from within LAN and it worked but no internet access, I added iptables and now it's working. So, I know VPN server is working. I am still not able to connect to the VPN server from outside of LAN. Wireguard is not able to handshake with the server.

This might be ip/port forwarding issue. I may be missing something. I have the following set up already below. Let me know if I am missing something? Any help is appreciated!

Exor_1-1688760640662.png

Exor_2-1688760710888.png

 



16 Replies 16

simple topology can help me here, 
you config Server INside, the client of Server INside or OUTside ?

Server is inside and client is outside. This is not working.

Server is inside and client is inside (using local ip). VPN is working

Server INside Client OUTside not working 
you need 
static NATing for Private Server IP to FPR OUTside public IP for specific Port (port Server use), did you add this NATing rule ?

Yes, I have added the NAT rule mentioned in my original post, there is a snip of it. Is there anything I am missing in the NAT rule?

I don't see anything wrong with your NAT or security rule, assuming the VPN-Server IP is configured with the real private IP address of the server. Could it be a block on the ISP router? do you know if NAT'ing is applied to their device? if so, then that should be disabled and the NAT should only be on the firewall, or the NAT on the firewall should be turned off and configured on the ISP router. Also, if you run packet capture on the firewall outside interface for any traffic destined to port 51820, do you see any traffic?

Yes, the VPN-Server is set to 192.168.1.158 which is a local IP. I have tried to look into capture but found this instead:

translate_hits = 4567, untranslate_hits = 4317
10 (inside) to (outside) source static VPN-Server interface service _|NatOrigSvc_711a30b9-1cc9-11ee-a336-17761654d6de _|NatMappedSvc_711a30b9-1cc9-11ee-a336-1776165
4d6de

 

 

Not sure if this is something. Seems to be showing that the NAT is getting hit.

Yes that shows the NAT hits, but I would try to run packet capture on the outside interface with the command "cap < name > interface outside match tcp any host < the outside interface IP> eq 51820". If that port is a UDP port then please change the tcp keyword on the capture command to udp. Also, as you don't have any hits on the security rule you created, I'm wondering if there is any security policy above that one that is denying the traffic coming from the outside towards the server, worth checking.

port, you need to specify port, that what missing in your NAT

The Source Port is set to VPN which I created is set to 51820 as mentioned in the snip. If that's not what you are talking about, please let me know.

in advance of NAT edit 
there is route-lookup option ? if yes enable it.

I tried to enable it but I received this error:

You cannot select the Perform Route Lookup option if you select interface for translated source
The Perform Route Lookup option is available for identity NAT only. The original and translated source networks must be identical to use the option.

how many public IP you beside the OUTside public IP ?

We have only one public IP.

can you share packet tracer you test 

Review Cisco Networking for a $25 gift card