Hello, am having a problem accessing my website when I connect to Wireguard. All other traffic is working fine, I can surf the internet but not only my website.
I have installed firezone on a machine that’s running my web server. When I disconnect my phone from the tunnel it works fine.
So do I need to configure something? I also want to split a tunnel to access this web server only when I connect to firezone.
Thanks
Hi,
What happens when you try to go to your website? Does it time out or do you get some other problem?
@gbe0 As additional info:
I forwarded port 443/80 to the PC running WG and WS with its internal local IP address (192.168.22.40). Do I need to use firezone IP address (10.3.2.1) instead of that?
Do you have your web server behind a firewall/router that NAT’s the IP to it? If so you will need to add ‘hairpin NAT rules’ to allow access internally.
@gbe0 thanks for replying.
Actually since am using different public IPs for the internet and for the VPN, I don’t think that’s important. My Public IP for the Internet is 197.156.101.137/29; this is what I have configured on my Firewall, and I am using the subnetted IP: 197.156.101.140 for the PC running Firezone and Web Server. Therefore since it’s different, the firewall won’t block it.
In addition to that for internal traffics to my web server we are using DNS Server to point into the internal IP, I am only configuring Firezone to use a tunnel when accessing the web server from the external network.
As I described above, my webserver is accessible both from the internal and external networks when disconnected from the tunnel.
I am still trying to fix this issue, I tried to check the traffics on wg-firezone interface using tcpdump -i wg-firezone
I just found this, if it contains some important info:
18:39:53.661741 IP 10.3.2.2.61495 > 197.156.101.140.https: Flags [S], seq 258523018, win 65535, options [mss 1240,sackOK,eol], length 0
@gbe0 @jamil Is there any other way to check dropped traffics by wg-firezone interface? Thanks
Hi
If I understand correctly, the server with IP 197.156.101.140 is also the server running WireGuard? If so, it does seem to be firewall related; it can be verified if thats the case by allowing all traffic and testing again.
Thanks again @gbe0
Yes the server with that IP is also running WireGuard. I even tried shutting down firewalld on my server, but still, I cannot access my web server. Do I need to do IP Forwarding or something like that? maybe if thats the case on my wireguard interface, and is there any firezone-ctl command to troubleshoot such a thing. Thanks
@gbe0 ok I found this.
I tried to enter 10.3.2.1 on my browser and my website is there and working. So is this some DNS problem? Or I think if I port forward to this IP (10.3.2.1) from my Cisco Firewall it might work I guess.
After spending 3-4 days it worked for me finally though I am not sure the exact problem.
I figured out that using Firezone IP (10.3.2.1) my webserver is accessible, so I added my internal network DNS Server address to Firezone setting, now I can access my website with a domain while I am connected to the tunnel.
It would be really best if firezone can read /etc/hosts file before going to DNS Server though, cause I can use hosts to do some other things.
@gbe0 Thank you for helping me.