Ah of course. Basic routing really. Stupid me.
I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to the web
interface.
Ah actually I have a better idea. I will set up a VPN from my PC to PBX1 so I
can access it directly. Problem solved!
Thanks for that.
Regards
Michael Knill
On 7/10/18, 10:55 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Yes, is all comes down to the routing at PBX2.
Consider this ... the PC has IP 1.2.3.4, so the NAT forward will have a SRC
address of 1.2.3.4 when received by 172.29.253.2 on PBX2. If the routing on
PBX2 routes 1.2.3.4 back through the wireguard tunnel then it will work as you
want. On the other-hand if PBX2 routes 1.2.3.4 over it's EXT interface then it
will not work as you want.
Probably the most elegant solution for routing on PBX2 is "policy routing"
using "ip rule ..." where traffic through the wireguard tunnel could have a
"fwmark" and add routing rules based on whether the packet traversed the
wireguard tunnel. I have only played with this ... all the hooks are currently
available using /mnt/kd/wireguard.script
https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#optional_action_script
but if you are not familiar with policy-based routing in Linux, this takes
some research to get a handle on.
Alternatively, if your public PC's are always off a know subnet, you could
add a static destination route on PBX2 to your PC's via the wireguard tunnel.
Lonnie
> On Oct 6, 2018, at 6:11 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Sorry Lonnie I am a little confused.
> The setup is as follows:
>
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
>
> I can ping the private Wireguard PBX2 address (172.29.253.2) from PBX1
(172.29.253.2)
> So I want to NAT PBX1 EXTIF on a particular port to PBX2 WG IP
172.29.253.2.
> I have set up the NAT_FOREIGN_NETWORK for the entire private address
space.
>
> Thanks
>
> Regards
> Michael Knill
>
> On 7/10/18, 12:01 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
>
>
>> On Oct 5, 2018, at 10:29 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Hi Group
>>
>> Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN
endpoint. Is this possible?
>> It does not seem to work with NAT EXT -> LAN.
>> If not, is there a custom rule I can try?
>>
>> Basically I want to SSH to the VPN endpoint directly, via the transit DR
server.
>>
>> Thanks so much.
>
> Hi Michael, short answer is yes, but depending on the routing.
>
> Start with a diagram ...
>
> public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 --
public_2
>
>
> My understanding is you want to SSH to wg_1_ip using public_2 ?
Correct me if I mis-understood.
>
> Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the
SSH return path at pbx1 goes through the wireguard vpn.
>
> I have personally tried this when pbx1 was on failover using wireguard
over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT
EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed
over wireguard to pbx2.
>
> Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on
pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is
NAT'ed on pbx2.
>
> Lonnie
>
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
