I have some problems with the connection to wireguard within my network at the moment and have been fighting against it for about three days.
I have an OpenWrt router, which is the main connection to the Internet. I have set up 2 vlans - one for guests and other things and the second vlan for personal use.
In the sec vlan there is only one port and one WLAN available, which is for a server with proxmox (port) and other devices(WLAN). A VM of proxmox is an OPNsense firewall. I have set it up a WireGuard server in OPNsense. From outside the network I can easily connect to this server and reach all other VMs/LANs. No problems there.
Since I only have physical access to OPNsense, I also want to access the OPNsense server in my OpenWrt network only with WireGuard. And unfortunately this does not work.
I think I need to redirect the vpn.domain.com to the IP or something. Which would be the OpenWrt WAN IP. But I'm not 100% sure.
Here is a kind of networkmap of it. It lists atm a connection from vlan2 to OPNsense-LAN. Which I also tried. But I prefer to use the VPN solution.
I hope that I can get help to finally solve this mystery.
traceroute hits only the gateway/dns of openwrt.
traceroute extern, no problem, if I don't change vpn.domain.com to OPNsense-WAN/IP. If I change it I can't reach from extern as well.
Laptop connected to OPNsense - Without and with hostn. changes:
traceroute to vpn.domain.com (openwrt-WAN-IP), 30 hops max, 60 byte packets
1 _gateway (192.168.100.1) 0.708 ms 0.631 ms 0.578 ms
2 ISP (openwrt-WAN-IP) 1.213 ms 1.201 ms 1.177 ms
So, yeah. At least the direct connection to opnsense and from there seems to work. Which obviously makes no sense
So, I figured a few things out. First block was my phone itself because of AfWall+ (I hadn't allowed [VPN-Network]. What worked before without, but must be set for the internal connection). I'm sorry, I completely forgot about this firewall... No need to change the hostname in vpn.domain.com.
I also "moved" another VM with Wireguard in front of opnsense and it works until that point.
Now I hit the firewall of opnsense. So my guess is to allow VLAN2 or at least the devices to WAN or WireGuard interface?
Edit:
Another step forward:
I have disabled 'Block Private Networks' on the OPNsense-WAN interface (any other suggestions?). This allows me to connect to the Wireguard server. But I cannot reach the LAN there. I can reach the LAN via external connection.
Edit 2:
It's strange... I disabled the firewall on 2 laptops to test the wireguard-connection there. It works (with and without firewall enabled), but I can't reach the OPNsense GUI (192.168.100.1) and using the internet on these devices. But I can reach the GUI and internet by phone (same network - VLAN2). But all devices cannot reach any other VM which is 192.168.100.10. This is really confusing.
I just want to leave a note here. That works somehow. With wireguard it doesn't really work, but with openvpn it does.
Maybe I need to change something with wireguard interface or on my devices. I'll look into it and probably come back here in the future to mark it as a solution.