Untangle as Only a WireGuard VPN Server?

[sky-knight]

If it's not handshaking then you've configured your client incorrectly, or you've not forwarded UDP 51820 to your Untangle.

And for the record, I did read your original post... several times. Did so twice again just now. Nothing in that post indicates to me you've actually tried to deploy this solution. What I interpret is theory crafting on the possibility.

And it most certainly IS possible. And once again if you can't handshake, then something is wrong with the UDP stream getting to Untangle. That could be a client configured to connect to the wrong IP address, a lack of a port forward on the upstream router that owns the appropriate IP address... something in that chain.

Now, if you can't route over the tunnel once its built! THAT's something else, and probably a lack of a static route to support the IP range wireguard is using.

[thetoad30]

If it's not handshaking then you've configured your client incorrectly, or you've not forwarded UDP 51820 to your Untangle.

And for the record, I did read your original post... several times. Did so twice again just now. Nothing in that post indicates to me you've actually tried to deploy this solution. What I interpret is theory crafting on the possibility.

And it most certainly IS possible. And once again if you can't handshake, then something is wrong with the UDP stream getting to Untangle. That could be a client configured to connect to the wrong IP address, a lack of a port forward on the upstream router that owns the appropriate IP address... something in that chain.

Now, if you can't route over the tunnel once its built! THAT's something else, and probably a lack of a static route to support the IP range wireguard is using.

Understood about the license. That's fine.

How would I achieve this with a single-nic? I have set it up, but the handshake won't complete. I'm sure I have the interfaces incorrect.

My mistake. It was the second reply I had.

Regardless, the assumptions aren't necessary. I'm asking for help. If you want to help, I'd appreciate it. If you want to make assumptions and try to admonish me, please move on. I'm trying to get a solution before the 14 days runs out.

That being said - UDP is forwarded properly, and correct IP is being used in the client. Is it just supposed to connect?

Routing is my next issue - do I set up a static route from internal WireGuard IP pool to the external nic address in Untangle?

Thank you.

[sky-knight]

I'm trying to help!

Wireguard doesn't "connect", it just "works". The packets are either signed correctly and delivered to the service, or they aren't.

The route I'm talking about doesn't go in Untangle, Untangle already knows about that network. The route goes in whatever is the default gateway for your network. That device needs to know about the IP range you're using in Wireguard, and where to send it.

The last bit you may need, and again I've not tried this so I'm not certain. But you might have to create access rules to allow traffic to and from the wireguard IP range sourced from the external interface. I say this because under normal circumstances you don't have internal traffic passing into and out of the WAN interface. I'm also not quite sure if that should be a set of access rules, or filter rules. I'd have to lab that and test.

But the wireguard client should allow you to ping Untangle itself once connected, and that connection only requires the port forward, and a client configured with the appropriate public key and public IP address.