Port forwarding via wireguard interface not working

[trunet]

Describe the bug

Following #4389 that for some reason was closed, same NAT port-forward configuration works on openvpn but not on wireguard.

I var_dump my interfacemapping and I have:

(
    [if] => wg1
    [descr] => [MY INTERFACE]
    [enable] => 1
    [lock] => 1
    [spoofmac] =>
    [ipaddrv6] =>
    [ipaddr] =>
    [gateway] =>
    [gatewayv6] =>
    [ifconfig] => Array
        (
            [ipv4] => Array
                (
                    [0] => Array
                        (
                            [ipaddr] => [MY VPN IP]
                            [subnetbits] => 24
                        )

                )

            [ipv6] => Array
                (
                )

        )

)

If you check https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php#L150 is false and it doesn't add reply-to wireguard interfaces.

Proof:

pass in quick on ovpnc4 reply-to (ovpnc4 10.XX.X.XX) inet proto tcp from any to <myserver> port = 10000 flags S/SA keep state label "514698ad49eba95b7d5b82502e1c3e65"
pass in quick on ovpnc4 reply-to (ovpnc4 10.XX.X.XX) inet proto udp from any to <myserver> port = 10000 keep state label "514698ad49eba95b7d5b82502e1c3e65"
pass in quick on wg1 inet proto tcp from any to <myserver> port = 10000 flags S/SA keep state label "514698ad49eba95b7d5b82502e1c3e65"
pass in quick on wg1 inet proto udp from any to <myserver> port = 10000 keep state label "514698ad49eba95b7d5b82502e1c3e65"

To Reproduce

Create a wireguard VPN, configure its gateway. Configure a NAT port-forward for it, and you'll see that port forward doesn't work because there's no reply-to on the pfctl rule.

Expected behavior

Wireguard port forward should work the same as openvpn.

Describe alternatives you considered

On opnsense 21.7 beta, you can create the NAT port forward without the filter rule. You manually create the rule with the new "reply-to" set to the correct gateway. This is not possible on 21.1.

Although this is a workaround, it should not be considered a solution, because the filter rule created by NAT should do this automatically as it do with openvpn.

[OPNsense-bot]

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[fichtner]

@trunet have you set "Dynamic gateway policy" in the assigned WG interface settings?

Cheers, Franco

[trunet]

@trunet have you set "Dynamic gateway policy" in the assigned WG interface settings?

No, it's unchecked the same as openvpn interfaces.

Also, wireguard local have "Disable Routes" checked because I have multiple tunnels. So a single gateway was added for each.

[fichtner]

OpenVPN is special for historic reasons:

https://github.com/opnsense/core/blob/69c007ef07e43373b76d334fcc232a02f6bc533b/src/opnsense/mvc/app/library/OPNsense/Routing/Gateways.php#L249

Can you try the setting please.

[AdSchellevis]

Automatic reply-to rules are only created when there's an explicit gateway know, which is either statically configured on the interface (upstream gateway) or reported by the provider of the address (https://docs.opnsense.org/manual/gateways.html#missing-dynamic-gateway).

To make sure we can force traffic over to a predefined interface, we're exposing the reply-to setting in the upcoming OPNsense version (https://github.com/opnsense/core/commit/286000deabbb24c2d0f923bce109cbb9a3e3d1ef), as discussed in https://github.com/opnsense/core/issues/4905.

Currently we don't consider generating automatic reply-to rules without an explicit gateway set, so if the gateway is known and Wireguard flushes the address into/tmp/wgXXX_router it will work out of the box. These automatic rules are prone to errors (unintended side affects) and apparently hard to grasp for most users, leading to quite some support cases over time.

[trunet]

I do have a gateway set on the local configuration, although I don't know if this do anything. I tried enabling the "Dynamic Gateway" and the problem persists.

[SebbesApa]

Port forwarding works in OPNsense 21.7.2 with the reply-to rules described in https://github.com/opnsense/core/issues/4389#issuecomment-865349224 . So i guess this issue can be closed.

[fichtner]

Fine by me, thanks for the feedback!