Query is about building a 'NON-KILL' switch.
There are plenty of guides suggesting how to build a 'Kill-Switch' - but what I am after is a 'Non-Kill' switch.
Essentially, if the WG VPN tunnel goes down (for whatever reason), I want OPNsense hosts to start using the default 'WAN' tunnel for traffic.
I know that it is a slightly weird situation - but with family/wife/kids .... it is important that internet traffic continues without interruption.
My setup:
- I have a 3rd party VPN (let's say an external hosted VPS or NordVPN or Surfshark).
- I wish to have some specific OPNsense clients go through the WG VPN tunnel.
Actions followed:
- I used the OPNsense documentation (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) for selective routing. The 'WireGuard Selective Routing to External VPN Endpoint' document for IPv4.
- I followed it down to a tee (barring the kill switch listed in Step 11)
- Setup all firewall rules, everything as per documentation.
Everything works as expected 👍, as in the specific hosts now connect through the VPN tunnel and traffic is routed through WG tunnel as expected. All good so far.
Q: However, if this WG tunnel was to drop (or the Gateway monitoring showing 100% loss) - I would like the same hosts to start using the default 'WAN' gateway. Currently, these hosts cannot access the internet at all.
Anyone can help how to do this?
@meyers @franco @others
Any ideas...
In step 8 you create a firewall rule. I think thuis rule is the problem. This rule should be disabled if the wireguard is down or you turn it off. I am also struggling with this
Maybe create a gateway group with your WGtunnel as higher priority than your default WAN. Then use the gateway group in your firewall rule.
Quote from: Dslgeek on March 02, 2025, 05:53:04 PMMaybe create a gateway group with your WGtunnel as higher priority than your default WAN. Then use the gateway group in your firewall rule.
Thanks for the response...
Could you provide some more information?
- How to create the Gateway group and set priority for WGTunnel?
- Which rules (Step Numbers) to change from WGTunnel gateway to gateway group?
You would create the gateway group: system > gateways > group and + to add a group. You would list your wireguard tunnel as priority 1 and your WAN as priority 2,3,4,5 ... I doubt it matters if your group will only have 2 gateways. The trigger for your application might be packet loss or high latency as you want to preserve internet access. Then in step 8 where the instructions have you select "WAN_VPNProviderName" you would instead select your gateway group.
Quote from: Dslgeek on March 03, 2025, 01:21:06 AMYou would create the gateway group: system > gateways > group and + to add a group. You would list your wireguard tunnel as priority 1 and your WAN as priority 2,3,4,5 ... I doubt it matters if your group will only have 2 gateways. The trigger for your application might be packet loss or high latency as you want to preserve internet access. Then in step 8 where the instructions have you select "WAN_VPNProviderName" you would instead select your gateway group.
Thanks, I'll give this a try...