Right, I about to go insane trying to figure this out.
tl;dr: Unable to make inbound PAT over VPN tunnel work, outbound works fine.
I have an VPS with a bunch of public addresses I want to use in my homelab, to this end I've installed opnsense on the VPS, as this is the firewall I'm also using at home. I've configured an OpenVPN S2S tunnel between them, so far so good, I'm able to ping both firewalls from each other and from servers inside my homelab.
I've then created some PBR rules in my homelab firewall to force traffic from certain servers to go through the VPN tunnel to the internet, this also works, I can see I'm using the VPS's public IP to access the internet.
My issue is with the inbound PAT rules, the one I'm testing right now is HTTPS towards an IIS server, from what I can see in the two firewalls logs, traffic passes through to the IIS server just fine, I can also verify this on the IIS server in Resource Monitor where I can see the TCP connections from my connection attempt, but it's like the IIS server doesn't know how to reply to the requests, they just timeout or get connection refused.
Here's a basic drawing:
Inbound PAT rule on VPS FW:
Outbound NAT rule on VPS FW:
Outbound PBR rule on Homelab FW:
I had this working previously using a simple GRE tunnel and passing all the public IP's directly to my Homelab OPNsense box, but this was always a little flaky...
Anyone have an idea or tried to do something similar?
Also I'm not very good at wireshark, but if it can help I'll give it a try.
tl;dr: Unable to make inbound PAT over VPN tunnel work, outbound works fine.
I have an VPS with a bunch of public addresses I want to use in my homelab, to this end I've installed opnsense on the VPS, as this is the firewall I'm also using at home. I've configured an OpenVPN S2S tunnel between them, so far so good, I'm able to ping both firewalls from each other and from servers inside my homelab.
I've then created some PBR rules in my homelab firewall to force traffic from certain servers to go through the VPN tunnel to the internet, this also works, I can see I'm using the VPS's public IP to access the internet.
My issue is with the inbound PAT rules, the one I'm testing right now is HTTPS towards an IIS server, from what I can see in the two firewalls logs, traffic passes through to the IIS server just fine, I can also verify this on the IIS server in Resource Monitor where I can see the TCP connections from my connection attempt, but it's like the IIS server doesn't know how to reply to the requests, they just timeout or get connection refused.
Here's a basic drawing:
Inbound PAT rule on VPS FW:
Outbound NAT rule on VPS FW:
Outbound PBR rule on Homelab FW:
I had this working previously using a simple GRE tunnel and passing all the public IP's directly to my Homelab OPNsense box, but this was always a little flaky...
Anyone have an idea or tried to do something similar?
Also I'm not very good at wireshark, but if it can help I'll give it a try.
Last edited: