core: Port forwarding via wireguard interface not working

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[x] I have searched the existing issues and I’m convinced that mine is new.

Describe the bug Port forwarding doesn’t work through wireguard interface to lan.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior:

  1. Establish wireguard connection
  2. Forward a tcp port from the wireguard(WAN) network to LAN network
  3. Open port with ncat on host in LAN
  4. Try to connect to forwarded port from WAN
  5. Follow packets with tcpdump on OPNsense firewall

Expected behavior Establishing a tcp connection between WAN host (xxx.de) via wireguard interface (wg0) to LAN host.

Screenshots

https://i.imgur.com/x9hBagG.png https://i.imgur.com/dJs9l38.png https://i.imgur.com/Ylx9J3L.png

Relevant log files tcpdump on LAN interface on OPNsense

19:28:57.774733 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79282081 ecr 0,nop,wscale 7], length 0
19:28:57.775498 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133438719 ecr 79282081,nop,wscale 7], length 0
19:28:58.776502 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79283084 ecr 0,nop,wscale 7], length 0
19:28:58.777248 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133439721 ecr 79282081,nop,wscale 7], length 0
19:28:59.779374 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133440723 ecr 79282081,nop,wscale 7], length 0
19:29:00.792129 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79285100 ecr 0,nop,wscale 7], length 0
19:29:00.792870 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133441737 ecr 79282081,nop,wscale 7], length 0
19:29:02.979382 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133443923 ecr 79282081,nop,wscale 7], length 0
19:29:04.888799 IP xxx.de.23023 > 192.168.20.101.11526: Flags [S], seq 1802740233, win 64240, options [mss 1380,sackOK,TS val 79289196 ecr 0,nop,wscale 7], length 0
19:29:04.888967 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133445833 ecr 79282081,nop,wscale 7], length 0
19:29:08.952726 IP 192.168.20.101.11526 > xxx.de.23023: Flags [S.], seq 1252543376, ack 1802740234, win 65160, options [mss 1460,sackOK,TS val 1133449897 ecr 79282081,nop,wscale 7], length 00

tcpdump on wg0 interface on OPNsense

19:34:19.395412 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79603694 ecr 0,nop,wscale 7], length 0
19:34:20.408152 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79604707 ecr 0,nop,wscale 7], length 0
19:34:22.424482 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79606723 ecr 0,nop,wscale 7], length 0
19:34:26.682679 IP xxx.de.23023 > 10.65.68.45.11526: Flags [S], seq 2533116111, win 64240, options [mss 1380,sackOK,TS val 79610980 ecr 0,nop,wscale 7], length 0`

SYN ACK doesn’t get forwarded

Environment

OPNsense 20.7.3-amd64

Forum Report https://forum.opnsense.org/index.php?topic=18013 https://forum.opnsense.org/index.php?topic=18062 https://forum.opnsense.org/index.php?topic=19409 https://forum.opnsense.org/index.php?topic=17973

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 31 (11 by maintainers)

Most upvoted comments

@trunet I also don’t understand why the same openvpn logic applied to wireguard doesn’t work (I think it’s a bug) @fraenki I made it work that way: with the 21.7.b version (type development) immagine firewall ingress rule on the wireguard interface immagine Filter rule association set to None immagine

I hope it will be useful to someone

+3
amonhk on Jun 21, 2021

Can still not get this to work, no matter what I try.

I did a quick test and it indeed still routes over wan.

+3
H4R0 on May 1, 2021

I did some $this->log to debug the problem.

wireguard interface doesn’t contain a gateway on the interfacemapping, although I have a gateway defined on “Single”… openvpn contains a gateway there.

(
    [if] => wg1
    [descr] => [MY INTERFACE]
    [enable] => 1
    [lock] => 1
    [spoofmac] =>
    [ipaddrv6] =>
    [ipaddr] =>
    [gateway] =>
    [gatewayv6] =>
    [ifconfig] => Array
        (
            [ipv4] => Array
                (
                    [0] => Array
                        (
                            [ipaddr] => [MY VPN IP]
                            [subnetbits] => 24
                        )

                )

            [ipv6] => Array
                (
                )

        )

)

Therefore, https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php#L150 is false and it doesn’t add reply-to wireguard interfaces.

+1
trunet on Jun 30, 2021

Is this a misconfig by all of us, or this is a bug? if it’s a bug, or this issue needs to be reopened, or we need to open a new one.

Since the exact same setup works with openvpn and ipsec I don’t see how this is a misconfig from us.

Site-to-Site works, it’s just port forwarding where replies get routed over wan instead of the wg interface.

Disabling reply-to and several other settings have no effect on this. The only workaround is to masquerade on the client side.

It would be interesting if pfsense has the same issue though.

+1
H4R0 on Jun 21, 2021

I’m also unable to make port forwarding works. This ticket should be reopened, if not I can open a new one.

In my case, I installed wireguard-kmod, rebooted. tcpdumps below, you can see packet arriving fine on wg1 but being replied back on wan directly.

OpnSense wg1 tcpdump:

13:12:46.987457 IP [REDACTED_PUBLIC_IP].46256 > 10.13.128.89.10000: Flags [S], seq 3380801657, win 29200, options [mss 1380,sackOK,TS val 3306454498 ecr 0,nop,wscale 7], length 0

OpnSense ix1_vlan34 tcpdump (my WAN interface):

13:12:46.987713 IP 10.13.128.89.10000 > [REDACTED_PUBLIC_IP].46256: Flags [S.], seq 3870681174, ack 3380801658, win 65160, options [mss 1460,sackOK,TS val 3841074193 ecr 3306454498,nop,wscale 7], length 0
13:12:46.987814 IP 10.13.128.89.10000 > [REDACTED_PUBLIC_IP].46256: Flags [S.], seq 3870681174, ack 3380801658, win 65160, options [mss 1460,sackOK,TS val 3841074193 ecr 3306454498,nop,wscale 7], length 0
...... more TCP SYN/ACK retries
+1
trunet on Jun 21, 2021

@TheLinuxGuy don’t waste time on it, I tried everything already.

pfsense-devel now has wireguard using the kernel implementation, opnsense will probably follow with 21.1.x/21.7

The kernel implementation will boost performance again and hopefully fix the routing problem.

+1
H4R0 on Jan 20, 2021
Read more comments on GitHub
← core: pkg stalls on exit
core: radvd stops announcing IPv6 prefix after a while →