Menu
▾
▴
Re: [Astlinux-users] Access to VPN endpoint from external
|
From: Lonnie A. <li...@lo...> - 2018-10-06 14:01:07
|
> On Oct 5, 2018, at 10:29 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible? > It does not seem to work with NAT EXT -> LAN. > If not, is there a custom rule I can try? > > Basically I want to SSH to the VPN endpoint directly, via the transit DR server. > > Thanks so much. Hi Michael, short answer is yes, but depending on the routing. Start with a diagram ... public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 -- public_2 My understanding is you want to SSH to wg_1_ip using public_2 ? Correct me if I mis-understood. Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the SSH return path at pbx1 goes through the wireguard vpn. I have personally tried this when pbx1 was on failover using wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed over wireguard to pbx2. Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is NAT'ed on pbx2. Lonnie |
