(192.168.8.2)-----------(108.130.20.2 ISP ATT PUBLIC)-----------------------------(3.4.175.88)
Home Laptop (Via Wi-Fi)—Connected to my home openwrt (with vpn’d to)------wireguard AWS Server
My laptop connects just fine to the internet and the ipchicken IP address shown is the server wireguard server 3.4.175.88 BUT when i connect from my laptop to my work using my palo alto VPN…using my AWS wireguard server connection.
Palo Alto shows my ISP ATT real IP address 108.130.20.2 instead of what i want to show 3.4.175.88 , yet even connected to this setup if i browse the internet it shows 3.4.175.88 BUT Palo alto knows on the far end my real ISP IP address…
Suggestions? what should I modify what should I change? or Add to make sure always at any layer my outbound IP address should show 3.4.175.88 AWS wireguard server?
Try using traceroute to show the path of the traffic for different end points to see if it’s actually firing flowing over the wireguard server.
I recently seen a “detector” My IP Address - BrowserLeaks and interestingly it detected the local IP which got me thinking that it is using JavaScript but I’ve not had time to figure it out. It will say that you are connected by VPN.
I think your connection goes through the palo alto VPN directly to AWS and then through there you are connecting the wireguard server 3.4.175.88.
So you’ll need put the palo alto vpn behind a router, or another similarly functioning device, to force it over the 3.4.175.88 VPN first so that the palo alto device thinks that its WAN is 3.4.175.88.
Hi. We’re you able to find a solution to this? I was thinking of working remotely from overseas using the exact same set up as yours. But now I’m worried that this might not be as foolproof as I thought
Thanks for the reply, but https://browserleaks.com/ip shows my AWS IP address as desired BUT, when i connect my laptop that is connected to my wireguard vpn’d, and i fire up my palo alto vpn client to my work…on my edge palo alto, as an administrator I see my real ISP provider, instead of my AWS wireguard IP address as desired…so it makes me think that these vpn’s are only good for browsing…but that’s///…I tried using nordvpn on my wireguard, and other known vpn services,and guess what my PALO ALTO firewall is able to see my real ip address instead of the wireguard aws server IP address…which means that palo inspects the traffic at another layer…which is sad…because this means…that all these vpn services promising “privacy” are all bogus…
My laptop which is connected to my home openwrt router, which is running as a wireguard client connected to my AWS wireguard server, which has also the Palo Alto VPN client is connected via Wi-Fi to my openwrt router which works as a wireguard client is therefore behind the router…to do exactly that to make the PA think that my WAN is 3.4.175.88…
Well, you got me thinking on this, so I decided to create my own DNS server so that I can manipulate the dns queries and still…the same issue…so its not dns leaks…somehow some data coming through the PA is able to be compare with a DB…or either some sort of packet containing the original physical egress IP address…now i am thinking MAC cloning…somewhere
The MAC address is only visible to the immediate local link of your router (it is only seen by your ISP), and even if there was a way for the remote host to learn your MAC address, there is NO global DB of MAC addresses locations.
Since you’re tech savvy, do a packet capture (install tcpdump) on your uplink interface of your home OpenWrt router. Filter by DNS protocol first. Compare the traffic with the routing tables. There’s a lot to learn when doing packet capturing.
I think that you should be using PBR to route only some traffic through the VPN link, as it gives you greater control over the routing tables affecting the tunneled traffic.
(Laptop)–Wi-Fi----(Openwrt router as client)----To—(AWS Wireguard server)—(Internet)
*My laptop when connected over Wi-Fi to my openwrt set as wireguard client ,and I browse the internet I see my (AWS) wireguard IP address…Good.
*My laptop when connected over Wi-Fi to my openwrt set as wireguard client ,and I browse the internet I see my (AWS) wireguard IP address…Good…BUT when I fire up my palo alto client…on this same laptop…Palo Alto is able to see my real ISP provider IP address instead of my AWS wireguard IP…and if i browse the internet while connected to the palo alto…my IP address shows over the wed as my AWS wireguard IP address…hence my question…why and how is the palo able to see my real ip address?..
But in this case is only one way out…through the openwrt router…i am doing splitting tunnels…
PA hardware is on the edge side at work, PA client is installed on my laptop, which is connected via wi-fi to my openwrt acting as a wireguard client connecting to my AWS with wireguard server which is the egress to the internet…
I could disable ipv6 although not sure if that have anything to do with anything as my connection is strictly ipv4 end to end.
tcpdump was installed on all endpoints except on my employers laptop…(Just requested wireshark to be installed"…so we will see…
On my dns server I am able to see dns queries…but of course not of the palo alto tunnel…my guess is that my public IP is captured at the time of the initial vpn connection…so…
A traceroute would show the route and if you could confirm that the pa VPN is indeed going through the wg tunnel that would say yes they can see the source of the tunnel somehow.
Or it will show the openwrt doesn’t pass the pa VPN through the wg VPN. And that’s why the pa can see your real IP.
The client is an OpenWrt I use as a travel router:
It does VPN to the EdgeRouter with Wireguard
It does NOT forward all the traffic through the Wireguard link
It uses PBR (Policy-Based Routing) to forward the traffic originating from one /24 subnet to the Wireguard link
It has two SSIDs:
One that uses the regular routes from the main routing table in the OpenWrt router
Another that has the forwarded /24 subnet to the Wireguard link
The DNS port being accessed from the forwarded subnet is DNAT redirected to the EdgeRouter link address at the other end of the Wireguard link.
There are more shenanigans happening in the routing tables, but this is a “basic” setup that any node behind the redirected SSID has no way to figure out it’s being VPNed (besides the increased latency).
Folks running the office network do not allow to install other VPN software besides Palo Alto, so using an external client router is the best approach.
I actually did this earlier today…the traffic both go to the AWS wireguard server…as an outbound route…hence my question…how in the world does PA is able to see my real ISP address…I am thinking somehow NAT somewhere…unless the PA is does some really cool packet inspection…but unfortunately i cannot get logs out of the PA…I just dont understand how is this happening…
Yes I get it… but it all seems to be fine until the Palo alto administrator check the vpn connection info and here is where he is able to see my originating IP.
By the way I have also spin an openvpn server and the same behavior and oh yeah I built a dns server on top and the same.
Over browser it shows my AWS server ip address but on the Palo alto client and by the way I also tested using a Cisco client and the same behavior as on the Palo alto
The Palo Alto client is snitching on you because it has privileged access to the raw networking stack on your laptop. This does not happen with an external client router as all the traffic coming from the laptop is VPNed, without any knowledge of the laptop itself.
