WireGuard Selective Routing

Started by trodden8484, November 04, 2025, 04:01:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 04, 2025, 04:01:30 PM
Cross posting here from a thread I started on reddit but also looking here for some help if possible.

I have not long since migrated from a homebrew router on Debian to OPNsense. During the migration I have made a few changes (like moving from OpenVPN to WireGuard) and I have the basics working, almost all in-fact.

The one think I am struggling with is reimplementing policy based routing or the equivalent in OpenVPN. Again, I am not moving from a 1:1 situation that I had previously but making some in-flight changes.

What I want to achieve is to be able to route any given client in my VLANs via one of my VPS nodes. The nodes are linked in something of a mesh on WireGuard (all endpoints that have publicly routable addresses are added into the config).

VPS 1 is connected via WG on 10.10.110.252. From my LAN I can access the VPS and I can from a client connect with WG and route my connection via the VPS. This works now. The enhancement I would like to make is that rather configuring it on the client level, I would like to be able to configure in OPNsense and add a client into a group and that group is routed via VPS1 or VPS2 or my local ISP.

I have followed the guide on "Selective Routing" as closely as possible to my setup - https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

What I am seeing now is when I have a client in the VPSGW Alias group, I am not getting past the default gateway for the subnet.
Code Select
traceroute to google.com (142.250.186.142), 64 hops max, 40 byte packets
 1  10.10.100.1 (10.10.100.1)  3.150 ms  1.561 ms  1.552 ms
 2  * * *
Any pointers of where to look for issues would be helpful.
Thanks in advance.
November 05, 2025, 10:17:34 AM #1
Hi there,

Trying to understand your setup, the VPS1/2 as well as any WG "clients/road warriors" are tied to the same WG instance on your new OPNsense NGFW ?

I'm not acquainted with the overlay "tool" you may be using (tailscale or such I'd guess) although I would separate things, one WG instance for your meshed network (VPS1 + VPS2 + OPNsense) and I'd do another instance terminating any WG road warriors ingressing connections at the OPNsense level.

Hope this help's a bit.
Regards,
m.
November 05, 2025, 06:19:29 PM #2
You'll need two WireGuard instances on OPNsense for this. Peer selection in wg is based on the destination IP address, as configured in the 'allowed IPs'.
If you want to use both VPS nodes for Internet access, 'allowed IPs' must be 0.0.0.0/0 for both peers. But you can't have two peers with the same allowed IPs in one wg instance.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions