"
Any comments or suggestions greatly appreciated. Do others just create separate VLAN access rules for WireGuard clients? I'm trying to avoid duplication of these rules.
Thanks
Thanks
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: Applying VLAN firewall rules to a WireGuard client
September 02, 2025, 12:02:22 PM #2
Virtual private networks / Applying VLAN firewall rules to a WireGuard client
August 28, 2025, 05:16:53 PM
Hi,
I'm trying to make a WireGuard client behave like a device on an existing VLAN, i.e. subject to the same existing VLAN firewall rules (including inter-VLAN restrictions) without duplicating policy.
What I've tried:
WireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.
SNAT to a VLAN IP — makes the client appear as a VLAN host, but the firewall still evaluates rules on the WireGuard interface instead of the VLAN, so it doesn't defer to the VLAN rules.
Bridging WireGuard into the VLAN — technically difficult and unreliable, because WireGuard is L3-only and doesn't support true bridging.
Workaround options:
Enforce policy on each destination VLAN, using SNAT so the client looks like VLAN traffic.
Move the VLAN firewall policy into Floating rules with Quick mode, applying to both the VLAN and WireGuard interface — eliminating duplication.
Question:
Is there a cleaner, recommended approach in OPNsense to have WireGuard clients inherit VLAN firewall rules without rule duplication?
Thanks!
I'm trying to make a WireGuard client behave like a device on an existing VLAN, i.e. subject to the same existing VLAN firewall rules (including inter-VLAN restrictions) without duplicating policy.
What I've tried:
WireGuard interface rules — pf only sees the outer UDP tunnel, so rules targeting specific inner IP/port combinations never match.
SNAT to a VLAN IP — makes the client appear as a VLAN host, but the firewall still evaluates rules on the WireGuard interface instead of the VLAN, so it doesn't defer to the VLAN rules.
Bridging WireGuard into the VLAN — technically difficult and unreliable, because WireGuard is L3-only and doesn't support true bridging.
Workaround options:
Enforce policy on each destination VLAN, using SNAT so the client looks like VLAN traffic.
Move the VLAN firewall policy into Floating rules with Quick mode, applying to both the VLAN and WireGuard interface — eliminating duplication.
Question:
Is there a cleaner, recommended approach in OPNsense to have WireGuard clients inherit VLAN firewall rules without rule duplication?
Thanks!
Pages1
