0

My home network is behind CGNAT, I don't get any public IP address. I want to access my home network via Wireguard from mobile clients.

Home Router  <----Wireguard----> VPS                      (Tunnel "A")
Home Router  <----Wireguard-----(VPS)----> Mobile Client  (Tunnel "B")

Home Router and VPS has OPNSense installed. Tunnel "A" is already up and running. I now want the mobile clients to establish Tunnel "B" through Tunnel "A" by connecting to the VPS'es public IP address.

Currently I use port mapping on the VPS to map the Wireguard port of the Home Router's IP (Tunnel A) to a port of the VPS.

I am struggling with configuring the routing for tunnel B properly. Especially the route back to the mobile client doesn't work, since Home Router doesn't know the IP of the mobile client.

How to establish such a nested tunnel configuration?

Why am I not using the VPS as a router A <--> B instead of nesting the tunnels? Because I don't trust the VPS fully, and thus I am forced to have the client config on my home router and not the VPS

Improve this question

2 Answers 2

Reset to default
2

I am struggling with configuring the routing for tunnel B properly. Especially the route back to the mobile client doesn't work, since Home Router doesn't know the IP of the mobile client.

Leave it empty; the server should automatically learn the IP address as soon as it receives a valid packet (i.e. with a key matching any peer's key). That's part of standard WireGuard functionality, and I believe it's implemented in FreeBSD the same way as other systems.

Most likely, though, the address it learns won't be usable, as mobile networks often have a network-level firewall; they won't forward the 'reply' packets if they arrive from some other endpoint than the VPS that was initially contacted.

So in addition to DNAT (port mapping), the VPS should also do SNAT (outbound NAT) on the packets directed to your home router – very much as if you were configuring "NAT hairpinning" – so that the home router will only see the VPS itself as its client. (Packets from different mobile clients will still be distinguished by the UDP source port.)

Improve this answer
0

This is only a partial answer (but may be helpful to you) -

I've done something quite similar for very different reasons (not NAT related) Wireguard can run on arbitrary ports. In the config file, you can specify a ListenPort for the Interface, and when you specify an Endpoint for the Peer, simply specify it in the form

  Endpoint = ip.ad.dr.ess:portno

A tricky bit was my router got a bit confused with some traceroutes because it only has 1 routing table. In order to fix the issue with the routing table you can do policy based routing and have a second table. I did not want to go that way because the core router

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .