1-1 NAT with Wireguard VPN - SNAT Rule never matches

kristofhetenyi · August 22, 2023, 11:41am

Hi!
(I will use example addresses in the desc.)
I’ve a Vyos router with 2 public IPs as eth0 (1.0.0.2) and eth1(1.0.0.3).
I have a Wireguard VPN as wg01.
I created a 1-on-1 NAT from eth1(1.0.0.3) to wg01 (server: 10.0.0.1, client: 10.0.0.2)

I have the following NAT configuration:

vyos@vyos# show nat
 destination {
     rule 2000 {
         description "1-to-1 NAT wings4"
         destination {
             address 1.0.0.3
         }
         inbound-interface eth1
         translation {
             address 10.0.0.2
         }
     }
 }
 source {
     rule 2000 {
         description "1-to-1 NAT wings4"
         outbound-interface eth1
         source {
             address 10.0.0.2
         }
         translation {
             address 1.0.0.3
         }
     }
 }

I have the following server WG VPN config:

vyos@vyos# show interfaces wireguard
 wireguard wg01 {
     address 10.0.0.1/24
     description VPN-For-External-Wings
     peer to-wings4 {
         allowed-ips 10.0.0.2/32
         public-key somekey
     }
     port 51820
     private-key somekey
 }

And have the following static routes:

vyos@vyos# show protocols
 static {
     route 0.0.0.0/0 {
         next-hop 1.0.0.1 {
         }
     }
     route 10.0.0.2/32 {
         interface wg01 {
         }
     }
 }

What I’m trying to achive is the following:
PC1(Random Client) → 1.0.0.3(eth1) → <> → DNAT → VPN(wg01) → Server(10.0.0.2) // This works just finve I can ssh to the server

but from the other side if I try to ‘curl’ a site for example:
Server → VPN → SNAT → INTERNET
If I dump the connections its uses the 10.0.0.2 as src ip insted of the 1.0.0.3. For some reason the SNAT not match the request.

VPN Client config:

[Interface]
PrivateKey = somekey
Address = 10.0.0.2/0
DNS = 8.8.8.8

[Peer]
PublicKey = somekey
Endpoint = 1.0.0.2:51820
AllowedIPs = 0.0.0.0/0 // except 8.8.8.8, 192.168.1.0/24, 1.0.0.2/32
PersistentKeepalive = 1

TCP dump of the ‘curl’ example:
26882 13.804659 10.0.0.2 152.66.115.203 TCP 80 49742 → 80 [SYN] Seq=0 Win=64860 Len=0 MSS=1380 SACK_PERM TSval=1504766221 TSecr=0 WS=128 26882

So what do I do wrong that the SNAT is not working ?

Viacheslav · August 22, 2023, 5:20pm

Use tcpdump and check if traffic returned to this instance
Maybe you should add SNAT for wireguard interface to hide original source
This way traffic will return to this node

kristofhetenyi · August 23, 2023, 8:57am

Thx! For the tipp already dumped that and there was nothing like that. The problem was that for some weird reason the pkgs for 1.0.0.3 wanted to go out on eth0 instead of eth1 and that’s why the SNAT rule was not matching. After a reboot it fixed but then the DNAT was not working bc of the same reason the pkg for 1.0.0.3 was received on eth0 instead of eth1 which is I don’t know how is possible since it has a different address, how can a pkg received on a interface that don’t have the dest address instead of the one that has… Maybe some bug in virtualisation ? I’m using Proxymox to run VMs.

I solved the problem with setting both DNAT and SNAT rule inbound and outbound interface to any instead of the correct interface and it works just fine now.

Apachez · August 23, 2023, 6:40pm

Regarding if wrong interface is being used on the host - verify which mac-address is has and that the correct ethX is mapped to that through hw-id.

system · August 25, 2023, 6:40pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.