Comment

Comment on Retain source IP when proxying through VPS

I don’t know what open sense calls this, but you want a route map in Cisco world.

A route map overrides the routing table based on ACL.

Your local router thinks unless there is a moreb specific route, then use default out WAN. Route map says ACL if source is mailu, then next hop will be VPS over tunnel. I did this with Cisco DMVPN between Germany and states.

Sorry I don’t know terms of open sense, but the concept is the same.

source

Sort:hotnew top

SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
I believe the policy based routing is the same thing. I’m starting to think I’m encountering an opnsense bug.

source
- MSgtRedFox@infosec.pub ⁨9⁩ ⁨months⁩ ago
  When you did your dump of the tunneled traffic, was the VPS preserving the public IPs?
  
  I was only assuming since you mentioned seeing the traffic at each segment.
  
  source
  - SeeJayEmm@lemmy.procrastinati.org ⁨9⁩ ⁨months⁩ ago
    Once I got masquerading configured it was preserving the public IP. I tcpdumped every interface in the path and watched the traffic. When it hit opnsense instead of respecting the policy based routing it was routing the traffic out the WAN.
    
    What baffles me is if I initiated traffic from the mailu server (ping, wget, etc…) I could see that opnsense was routing all traffic in that conversation out the WG interface, none of it hitting the way.
    
    I need to update the post because after fighting with it all day, I realized I was being stubborn (I have a need to solve the problem). I configured a direct WG tunnel between the VPS and the mailu VM and routed the traffic that way. It’s all working exactly as I need it to now.
    
    I’d still like to know if opn has a bug or if I was missing some setting as I’d rather not be littering my network with tunnels when I shouldn’t need to and I can leverage some smarts in opn (i.e. if the tunnel is down, the gateway would get marked down in opn and it would ignore the policy route).
    
    source
    MSgtRedFox@infosec.pub ⁨9⁩ ⁨months⁩ ago
    Yeah, the tunnel would annoy me unless it was open and I could scan the traffic as it went through my proxy. My OCD kicks in when stuff doesn’t do what it’s supposed to
    
    You could always swap out that OPNS for Cisco, NBD. /Sarcasm
    
    source