Access to the remote DMZ via WireGuard in Net-To-Net configuration

VPNs WireGuard
1

Hi everyone!

For performance reasons I switched my Net-To-Net connection between two IPFire devices from OpenVPN to WireGuard.

To do this, I set up two Net-To-Net peers: one between ORANGE on IPFire 1 and ORANGE on IPFire 2 (named WG-ORANGE), and a second between GREEN on IPFire 1 and GREEN on IPFire 2 (named WG-GREEN).
I also created four firewall rules on both IPFire devices:

  1. ‘Source/Default networks:’ GREEN, ‘Destination/WireGuard peers:’ WG-GREEN, ‘Protocol:’ All
  2. ‘Source/WireGuard peers:’ WG-GREEN, ‘Destination/Default networks:’ GREEN, ‘Protocol:’ All
  3. same as 1, but with ORANGE instead of GREEN
  4. same as 2, but with ORANGE instead of GREEN

The connection between GREEN 1 and GREEN 2 works perfectly, as does the one between ORANGE 1 and ORANGE 2.

However, I haven’t yet managed to set up a rule that allows GREEN 1 to connect to ORANGE 2 and vice versa.

What I tried (the rules were always created and enabled on both IPFire devices):

  • ‘Source/Default networks:’ GREEN, ‘Destination/WireGuard peers:’ WG-ORANGE, ‘Protocol:’ All, (the WG-ORANGE rule, which I believe is also necessary, has already been set up on both IPFire devices under point 3. above.)
  • ‘Source/WireGuard peers:’ WG-GREEN, ‘Destination/Default networks:’ ORANGE, ‘Protocol:’ All, (the WG-GREEN rule, which I believe is also necessary, has already been set up on both IPFire devices under point 1. above.)
  • ‘Source/Destination address (IP address or network):’ GREEN, ‘Destination/Destination address (IP address or network):’ IP.ADDRESS.OF.CLIENT, ‘Protocol:’ All
  • ‘Source/WireGuard peers:’ WG-GREEN, ‘Destination/Destination address (IP address or network):’ IP.ADDRESS.OF.CLIENT, ‘Protocol:’ All
  • All four of the above rules activated simultaneously in various combinations
  • All four rules as above, but with SNAT or DNAT added.

But the ping keeps saying: ‘Request timed out’/‘Destination host unreachable’.
And now I’m stuck and don’t know what to try next.

Or would it be better to use static routes? I’ve had bad experiences with this before when using WireGuard, because the static routes weren’t compatible with the routes generated automatically by the WireGuard setup.

Does anyone have any ideas? Thanks in advance!

2

:thinking:
Maybe the posts below will be helpful

Regards

3

Hi iptom!

Your posts have given me some new ideas. Thank you for that!

I’ll probably need to include ORANGE as a remote subnet in the WG-GREEN peer as well.

Or perhaps I could just create a single peer that includes GREEN and ORANGE as local and remote subnets. In that case, which zone is allowed to connect to which is likely to be defined solely by firewall rules. I’ve actually blocked forwarding in the default firewall behaviour and have a separate firewall rule for every connection between the zones.

Regards,
Thomas

4

Hello everyone!

The solution is to route all traffic from both IPFire devices via one single WireGuard connection. The rest can then be configured using the firewall rules.
Thanks for the food for thought!

Kind regards,
Thomas