KVM guest access from Wireguard tunnel

I have a Rocky 9 server(at SiteB) on a public IP address and I’m trying to pass traffic to the guests using NAT from an incoming Wireguard interface from a different datacenter.

The tunnel pings working from SiteB to SiteA via wireguard wg0
The tunnel pings fail SiteA to SiteB beyond the bridge interface vbr0 (virbr0 renamed vbr0@10.0.20.0/24)

Ping from SiteB host to SiteA devices @192.168.1.x WORKS
Ping from SiteB guest to SiteA devices @192.168.1.x WORKS
Ping from SiteA server to siteB WG tunnel endpoint@10.0.3.1 WORKS
Ping from SiteA server to siteB bridge @10.0.20.1 WORKS
VNC from SiteB host to siteB guest @10.0.20.10:7905 WORKS
Ping from SiteB host to siteB guest @10.0.20.10:7905 WORKS

Ping from SiteA server to siteB guest @10.0.20.10 FAILS (guest is Win10@10.0.20.10(static), firewall off, VNC port 7905)
VNC from SiteA server to siteB guest @10.0.20.10:7905 FAILS

Since I can ping the SiteB bridge from SiteA I think the problem lies in the port forwarding to the
10.0.20.0/24 subnet from the Wireguard endpoint 10.0.3.0/24. The routing seems to be OK because I can ping the bridge@10.0.20.1 from Site A. The public network interface and the wireguard wg0 interface is in the public zone.

Here is the bridge vbr0 config:

virsh net-dumpxml default

default
1d89e496-c296-4cd2-9668-6c79a80dea22
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp131s0f0 wg0
sources:
services: cockpit dhcpv6-client ssh
ports: 7902/tcp 6262/tcp 22/tcp 6280/udp 7905/tcp 7905/udp 6280/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
port=6280:proto=tcp:toport=6280:toaddr=10.0.20.12
port=7905:proto=tcp:toport=7905:toaddr=10.0.20.10
port=7905:proto=udp:toport=7905:toaddr=10.0.20.10
source-ports:
icmp-blocks:
rich rules:

firewall-cmd --list-ports
22/tcp 6262/tcp 6280/tcp 7902/tcp 7905/tcp 6280/udp 7905/udp

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp131s0f0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.0.20.0 0.0.0.0 255.255.255.0 U 0 0 0 vbr0
xx.xx.xx.xx 0.0.0.0 255.255.255.248 U 100 0 0 enp131s0f0 (public IP)
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0

ip route
default via xx.xx.xx.xx dev enp131s0f0 proto static metric 100
10.0.3.0/24 dev wg0 scope link
10.0.20.0/24 dev vbr0 proto kernel scope link src 10.0.20.1
xx.xx.xx.xx/29 dev enp131s0f0 proto kernel scope link src xx.xx.xx.xx metric 100
192.168.1.0/24 dev wg0 scope link

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1

firewall-cmd --get-zones
block dmz drop external home internal libvirt libvirt-routed nat-bridge nm-shared public trusted work

Wireguard tunnel startup:

Aug 08 09:40:02 WSI-PH-NS-01 systemd[1]: Starting WireGuard via wg-quick(8) for wg0…
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] ip link add wg0 type wireguard
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] wg setconf wg0 /dev/fd/63
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] ip -4 address add 10.0.3.1/32 dev wg0
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] ip link set mtu 1420 up dev wg0
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] ip -4 route add 192.168.1.0/24 dev wg0
Aug 08 09:40:02 WSI-PH-NS-01 wg-quick[20212]: [#] ip -4 route add 10.0.3.0/24 dev wg0
Aug 08 09:40:02 WSI-PH-NS-01 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Since nobody replied, and there is a lot of information above, I asked Google Gemini to create a one-line ASCII diagram summary of your text above, to visually try to understand your setup, i got this, is this correct?

Site A Network (192.168.1.0/24) –[VPN Tunnel (WireGuard)]– Site B WireGuard Endpoint (10.0.3.1) – Site B Bridge (10.0.20.1) – Site B Guest (10.0.20.10)

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.