I’m a little bit of a novice with routing and VPN, but I’ve configured a site to site VPN using pfsense as the the two wireguard peers. Local networks on either side of the peers are:
Site A: 10.0.0.0/23
Site B: 10.1.0.0/23
Tunnel Address for the VPN:
Site A 10.99.210.1
Site B 10.99.219.2
There are no Local IP range overlaps between the two networks.
When a client on Site A (10.0.1.184) connects to server Site B (10.1.0.200) over the tunnel, Site B records the clients IP address as the Wireguard Tunnel Address, and not the LAN IP address.
The last login recorded at the server is the Wireguard VPN tunnel address, and not actual originating IP address.
I don’t know a lot about routing or NAT, but is there anyway for Site B servers to actually know the originating clients LAN IP address than the tunnel IP address? I’m aware VPN’s are designed usually to obscure or hide the originating IP address, however I’m not really wanting this “obscurity” in this case as I control both ends of the tunnel.
I watched your video again. A little bit more closely this time. The only thing I changed was the gateway address. The official pfSense documentation actually is a little different – they have the Gateway IP address as the gateway tunnel address at the far end of the tunnel – not the near end. Not sure why they recommended it this way, but nonetheless I made the change to the gateway address being on the LAN side and not on the remote side (Hopefully that makes sense).
But even after all of that – I still get computer or devices on either end of the tunnel seeing the connecting client as coming from the Gateway network and not the originating LAN network. I’m wondering if this is by design, but clearly when I SSH into a remote machine at the remote site, it’s still showing last login from the Tunnel network: Here is a screenshot to show it more clearly:
