I have issues with port forwarding and would appreciate your input.
My configuration is following:
Internet → Turris Omnia, TOS 6.4.4 → Unifi Gateway, UXG-Lite, Wireguard Server Enabled
My Omnia is having fixed public IP address. In its LAN I have a Unifi gateway with fixed IP and WireGuard server enabled.
Wanted Setup:
I want to establish WireGuard connection from the Internet to the Unifi gateway.
Expected Solution:
I have used LUCI to configure Port Forwarding from Omnia to the Unifi gateway.
Problem:
Unfortunately the client computer connected thru a mobile hotspot is unable to establish the WireGuard connection.
The WireGuard connection can be established when I put the client computer in to LAN of Omnia and modify the endpoint settings of the tunnel. So I believe the WireGuard functionality of the Unifi gateway works correctly.
Any idea what I am missing? Do I need to do something extra on top of configuring the port forwarding in LUCI?
Additional Info:
I have another two Unifi gateways with WireGuard enabled and located behind. It was sufficient to configure the port forwarding on the ISP modems. So I hoped it would work for Omnia as well…
The setup that you mention has been working for me for lan to lan vpn connection, so probably the problem is somewhere else. If wg server is on a device other than TO, port forward is enough.
Though, for lan to lan, you will also need a static route on TO for the wg subnet pointing to the wg server local ip. If this vpn is just for one mobile connection, you could use masquerade at the Unifi.
Try using tcpdump and tracepath/traceroute at TO and Unifi you could pinpoint the issue.
But I am wondering, why don’t you use the wg server on TO? Is this a port issue?
I have used tcpdump to monitor incoming connection to WAN interface of my Omnia. I have filtered the communication to UDP protocol and port 3008.
tcpdump -i eth2 udp port 3008
No traffic was detected when trying to connect using mobile phone connected using mobile data. Packets started to appear when I connected my mobile phone to the home WiFi.
I have contacted my ISP and in few minutes they found the issue. The UDP communication was not forwarded to public IP of my Omnia.
Thank you very much for pointing me to the right direction!
Oh and to answer your question related to not using wg server on TO:
In the past I have used wg server on TO and it was a great learning for me.
But lately I tend to prefer the simplicity of the solution provided by Unifi (user management, backup, multiple admins).