Can I mask a local IP address via WG?
Scenario
I'm trying to setup a BOVPN from a WG M200 to an Azure Firewall for my customer who has an unorthodox LAN subnet of 126.0.0.0/8, which of course is a public range and so Azure won't accept it as an encryption domain. Until I can convince my customer to migrate to a private LAN subnet need a quick work around for this.
It's actually just 1 system which needs access to the VPN. I was hoping the WG might be able to do something such as mask the IP address or act as a proxy? I'm just not sure how to set this up. Does anyone have any ideas please?
0
Sign In to comment.
Comments
Hi @Fred2K
You can set up 1-to-1 NAT on a standard branch office VPN tunnel. However, the network you're NATing needs to reside on the firebox. If you're using the firebox to link the remote subnet that's somewhere else via VPN to the Azure (which is also VPN'ed to) [this is referred to as tunnel switching] the distant device will need to do this.
This is in the help articles here:
(1-to-1 NAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_use_1to1_nat_c.html
(Configure Outgoing Dynamic NAT Through a Branch Office VPN Tunnel)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_set_outgoing_nat_c.html
You'd essentially make the tunnel from 126.0.0.100 <--> Azure subnet
-Check the 1-to-1 NAT or DNAT checkbox.
-Select what you want it to appear as to azure there.
-James Carson
WatchGuard Customer Support
Thanks James - that was a lot easier than I was expecting!