I’m implementing NetBird, a WireGuard based VPN in my company.
WireGuard based VPN work best, if you can get a Peer-To-Peer connection going. That only works if all Firewalls/Routers in between the clients are able to NAT traversal.
I tried it with a static NAT and some internal Firewall rules, but without success. Can this be done with Checkpoint?
I’m using Checkpoint GAIA R81.10 Virtual Appliance
Static NAT and allowing the configured UDP port should work just fine.
Check the logs to make sure both your access rule and your NAT rule is used for the incoming connection.
If you used a manual NAT rule and an public IP that is link-local on the external interface make sure you have configured proxy ARP. The Firewall will not answer ARP requests for the used IP if this is not set up correctly.
Unfortunately, this does not work :(. Everything is allowed and gets through, as I can see in the Logs, however I just don’t get a Peer-to-Peer connection. Seems like NAT traversal on Checkpoint only works for their own IPSec VPN
Jup, this was also the official response from Checkpoint. “Open VPN & Wireguard are currently limited to Harmony SASE, not supported for NGFW (security gateway)”