Trying to get WireGuard Point-to-Site from VPS Windows Server via Edgrouter to local site

D

DingoBlue

WG setup.jpg

I have tried to setup a WireGuard/Edgerouter (ER) conguration whereby users in the Local Site can access the Windows Server in the Remote VPS.
I have used a Wireguard Wizard (gui) on the ER but may have to drop that and use the ER CLI as it lacks, I suspect, some of the commands I may need.
The wg interfaces 10.100.0.4 and 10.100.0.2 handshake and keepalive with no problem.
In the Windows command widow I can ping 10.100.0.2 from 10.100.0.4. I cannot do the reverse. However, the ER has a ping tool and I can ping 10.100.0.4 from there.
Although I have tried NAT and Firewall Rules in the ER, I have had no success in getting the local site to play with the VPS server. IMPORTANT: I have read everything I can find to guide me but without success and it is obvious I am not sufficiently knowledgeable in this regard.
I have now removed all NAT and Firewall Rules (and most of my hair!) to start AGAIN with an almost clean slate.

I would appreciate any guidance anyone can give.
Regards
 
on 2012R2 add a static route to 192.168.0.0/24 via 10.100.0.2
then you don't need any nat and you can log each pc easily on 10.100.0.4
 
Thank you covacat, I will give that a try.
VladiBG, I acknowledge your commenet re the Edgerouter but FreeBSD is a "go to" forum for WireGuard and I logged my question from that regard.
 
There's 2 options that you can use.
The first option is to use routing only without NAT. To do this on both ends of the tunnel you have to add a static route.
On the Windows Server it's should be route add 192.168.0.0 MASK 255.255.255.0 10.100.0.2
and on the Edge router router add -net 200.100.3.0/24 10.100.0.4
In your Wireguard config this should be put on interface UP event so when the connection is established it will add the route for you.

The second option is to use NAT on the Edgerouter which will NAT requests from 192.168.0.0/24 to 200.100.3.0/24 via 10.100.0.2. Depending of which Firewall you are using in FreeBSD there's different commands to set up the nat that's why i was asking which version of FreeBSD you are using and with what Firewall. In this scenario on your Windows server all request will come from 10.100.0.2 and you will be unable to distinguish each clients (pc1,pc2...) from each other.
 
DingoBlue said:
but FreeBSD is a "go to" forum for WireGuard
Click to expand...
What makes you think that? Last time I checked WireGuard was littered with linuxisms and even lacking a proper manpage that doesn't use linux-specific tools and syntax in its examples. Also the EdgeRouters are running some butchered linux-OS underneath by default.

So for generic and also EdgeRouter-specific WireGuard questions you should maybe ask in some linux forums.
The FreeBSD network stack and ESPECIALLY its firewalls are fundamentally different to what linux is doing (iptables - yes, you will loose all your hair with that crap...), and Windows is yet another completely different can of worms, so this FreeBSD-specific forum won't be of any help.

So if there is no FreeBSD system involved, see #7:
forums.freebsd.org

FreeBSD Forums Rules

This section contains general FreeBSD Forums rules which should be followed by all members in order to keep the quality of these forums on a high level. Though many of the FreeBSD development members read this forum, we cannot always guarantee that we will get to your questions in a timely...
forums.freebsd.org forums.freebsd.org
 
You must log in or register to reply here.
Back
Top