That sounds like you are using NS as the client side. If so, then you may have to specify a listen port, as opposed to letting Wireguard pick a random one, in the peer stanza and also open it to the firewall instead of 51820 as shown by mrmarkuz above.
*** Update ***
Sorry, that should be “in the interface stanza”, not the peer.
But also another question. Is this just a client to the VPS, or does the VPS also act as a client to an NS server. In other words, is there a separate tunnel in each direction.
Thanks, yes that’s the # firewall config that you posted before that I have been trying to use… I will study up on the static routes and try again.
Unfortunately, every time I mess with it, I lose all connectivity and have to go to the server and reset. I may just do a clean install and start over because I probably have it too far gone at this point.
Thnaks for your help, Not sure I understand your question.
The nethserver should be the “client” of the VPS, but of course the traffic would go both ways in that tunnel. IPtables on the VPS sends the web/mail server traffic to the wiregard IP on the nethserver. It’s a way to keep the static ip the same no matter where the server is located and get past whatever port limitations may be on the local ISP connection. And the netserver should send the reply’s back through the wireguard tunnel.
Correct that in a VPN tunnel the traffic goes in both directions, but only 1 side initiates the traffic, which is the client. All the traffic from the other side, the server, will be a reply to whatever is received. It will never send unsolicited traffic to the client.
So I was just verifying that the only server that initiates the traffic is NS, the client and that you were not expecting the VPS to initiate any unsolicited contact to NS. Which if it were the case, then both servers would need to run a Wireguard server.
If that is the case, then you need what I mentioned previously. Add the ListenPort parameter to the interface stanza, so the server will always send it’s replies there and use that port number to open the firewall rules, which BTW would only be needed on the red interface if the Wireguard client is NS itself and not another server behind that, in the LAN space.
I try to realize a fixed IP with a VPS with wireguard. Should I change the zone to red to have two WANs? One for general outgoing traffic and one incoming traffic for SMTP and other services or should I use a separate zone?
For the package to work you need to install an external repository, see Wireguard documentation.
I used the dkms package option some time ago, maybe there’s a better option nowadays.
No, for CentOS it’s still dkms. They did try, for a short while, using elrepo (I think) with pre-compiled modules, but it turned out to be more of a hassle.
I finally managed to finish the nethserver-wireguard project. Please test it, I’d appreciate your feedback. You need a working internet connection and please don’t test on production systems.
Check out the wiki for more info.
I decided to include wg-manager bare-metal (instead of docker) as UI. It’s in development and has a few bugs but in my tests it was the most flexible tool.
Other UIs were missing user login, the possibility to create more WireGuard interfaces (VPNs) or were not usable at all.
I tested subspace, drago, wg-ui, wireguard-ui and wireguard-manager.