Jump to content
Not connected, Your IP: 3.137.175.83
yelpal

How to Port Forward when pFsense configured with AirVPN WireGuard

Recommended Posts

Hello,

Hopefully this is an easy fix, I tired port forwarding options in the best ways I could to no avail :( I need to temporarily port forward to my synology nas.

I am also running a WireGuard client on pfSense so that my entire home network is always behind a VPN and I don't have to run AirVPN clients on my machines. This is the guide I followed to set up the WireGuard client on pfsense: https://www.comparitech.com/blog/vpn-privacy/pfsense-wireguard-setup/

I have a feeling that the WG setup is what is breaking the port forwaring. I followed the simple guide to port forward on the web interface Client Area of AirVpn as specified here: https://airvpn.org/faq/port_forwarding/

AirVPN guide states to not set up the port forwaring on the router when it is done in Client Area, unfortunetely the port is still inaccesible as checked with https://www.yougetsignal.com/tools/open-ports/

I tried to do standard port forwarding set up on pFsense but that still did not work.

Does anyone have any ideas? Are there extra steps required when my pfsense sits behind AirVPN Wireguard? I tried searching the internet far and wide to no avail..

 

Thanks!

Share this post


Link to post

You misunderstood what the FAQ was trying to say.  It's saying that if you use an AirVPN app (like Eddie) you don't need to forward ports on your home gateway/router because everything takes place inside the encrypted VPN tunnel so the router can't manipulate it anyway.

However, with the VPN client actually on your router/gateway, such as yours, you do need to forward ports on said router/gateway.

In pfsense go to firewall>nat>port forward tab.  Make a new rule with [your wireguard interface] being the interface, the destination being "[your wireguard interface]address", the destination port should be whatever the local port is in the port forward rule you created on this web site, the redirect target IP is the IP of your NAS, and the redirect target port is whatever port your NAS server is listening on.  Finally, be sure to select "create new associated filter rule" at the filter rule association setting.

Save it, and you should be good to go.

Share this post


Link to post
Posted ... (edited)
7 hours ago, go558a83nk said:

You misunderstood what the FAQ was trying to say.  It's saying that if you use an AirVPN app (like Eddie) you don't need to forward ports on your home gateway/router because everything takes place inside the encrypted VPN tunnel so the router can't manipulate it anyway.

However, with the VPN client actually on your router/gateway, such as yours, you do need to forward ports on said router/gateway.

In pfsense go to firewall>nat>port forward tab.  Make a new rule with [your wireguard interface] being the interface, the destination being "[your wireguard interface]address", the destination port should be whatever the local port is in the port forward rule you created on this web site, the redirect target IP is the IP of your NAS, and the redirect target port is whatever port your NAS server is listening on.  Finally, be sure to select "create new associated filter rule" at the filter rule association setting.

Save it, and you should be good to go.

Thank you for your explanation, I was really hopefully but sadly still does not work :(
Here is my port forward setting on pfsense, pretty sure its exactly as you describe (see attached image) . All the port number fields i covered up are the same, and same as what i specified on AirVPN client area. Do you have any other ideas?
I have a feeling that it is something to do with how WG is set up on pfsense, it's got to be something in that guide, but i just can't spot it, and I'm seeing doubles by now...

Thank you!

Screenshot 2023-03-30 at 21.08.11.png

Edited ... by yelpal

Share this post


Link to post

port forwarding works for me through a wireguard tunnel.

when you're testing make sure you're hitting the correct IP address at the correct port and make sure your server is actually running and responding on the correct port.

Share this post


Link to post
1 hour ago, go558a83nk said:

port forwarding works for me through a wireguard tunnel.

when you're testing make sure you're hitting the correct IP address at the correct port and make sure your server is actually running and responding on the correct port.

do you mind sharing a guide (if you used one) of how you configured WireGuard on pfsense? It would be interesting to see how it differs to mine, and if you got it working, I’ll just do the same. 

Server is definitely responding to correct port. As to making sure I’m hitting the correct IP address, can you elaborate on how I could carry out this test?

Share this post


Link to post
Posted ... (edited)
21 hours ago, go558a83nk said:

port forwarding works for me through a wireguard tunnel.

when you're testing make sure you're hitting the correct IP address at the correct port and make sure your server is actually running and responding on the correct port.

so I re-done my WG config and the tunnel worked, everything going via airvpn, port forwarding also worked. I restarted pfsense and it stopped working. Any ideas what it could be about a reboot that would break port forwarding? 

Edit: I rebooted again in hopes that it would work again, but now I can’t get the tunnel up under Peers - Last Handshake - never … :(((

edit2 . What a damn mess. I restored from back up and can’t get the tunnel still remains down. Peer last handshake -  never. I think airvpn and WireGuard on pfsense is definitely a no go. If it was working for a year, during which time the box was restarted 10s of times  and I restore the backup, why the hell
would the tunnel not come up. 

before I give you, is there a way to bring up the tunnel somehow? Edited ... by yelpal

Share this post


Link to post
20 hours ago, yelpal said:
do you mind sharing a guide (if you used one) of how you configured WireGuard on pfsense? It would be interesting to see how it differs to mine, and if you got it working, I’ll just do the same. 

Server is definitely responding to correct port. As to making sure I’m hitting the correct IP address, can you elaborate on how I could carry out this test?

I read the guide that you used and it's the same as what I did.  Setting up the interface, gateway, all that is just how you do it.  I can't think of why it's not working.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...