Route traffic to another router (normally source based routing) over wireguard

[thursmann]

Hey there,

I am trying to figure out for a while now how I can make my traffic flow in my specific scenario over the right gateways.

So what am I trying to do?

Here is what the setup looks like

internal net --> firewall --> internet

Here is what the setup has to look like instead

internal net --> firewall --
> default route -> internet
> 10.x.x.24/29 -> wireguard connected network --> gateway on other side --> internet

So I have tried a lot, but can't to seem make it work with OPNsense, and am just hoping I am missing something.

Currently now I have setup two gateways, both marked as upstream (for some weird reason however it did not create routes for the second interface). The wireguard vpn is up and running, but for some reason I can only communicate with hosts on the other side of the tunnel when traffic is passing through OPNsense, but not when it is coming from the same box, so I am suspecting something wrong here as well (since wireguard is marked as experimental this wouldn't be big news). So can anyone here tell me if the setup is missing something or should it normally work like that.
While debugging I started packet captures on the other side as well as on the OPNsense side. The to be routed packets never reach, but I can see them on the wireguard interface. However (example below) a ping request seems to not being redirected by directly answered as not found (so I suspect it never being routed). Setting the gateway on the host level is not an option, since they always should reach until the firewall and the firewall(s)/routing knot(s) should make the proper decision.

ICMP

10   1.265401   10.1.0.30   1.1.1.1   ICMP   88   Echo (ping) request  id=0x0089, seq=2/512, ttl=63 (no response found!)

TCP

79   3.714743   10.1.0.30   1.1.1.1   TCP   64   60496 %u2192 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=321316932 TSecr=0 WS=128
82   4.730075   10.1.0.30   1.1.1.1   TCP   64   [TCP Retransmission] 60496 %u2192 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=321317947 TSecr=0 WS=128


Summary:

Gateway 1: WAN Interface (upstream marked highest priority)
Gateway 2: Wireguard Interface (gateway configured is a host on the other side) (upstream marked, lowest priority)

Firewall Rules: LAN - IN - Pass - Traffic not from LAN - Pass to Gateway 2



I am planning to drop OPNsense in the long run anyways since I will opt for a linux based routing and firewall solution incorporating bpf, so the question arises for me also of course, am I already at a point where OPNsense doesn't cover my needs anymore? I really like the interface, which is why opted for it in the first place vs. going straight for a cli based solution until I build something around it.

Also to add, this is fairly simple with multiple routing tables and configure source based routing normally, which I discovered on my way debugging is not at all supported by OPNsense.

[thursmann]

turns out this is hardly a limitation of OPNsense indeed, or at least of the wireguard extension and the basic lack of functionality when it comes to custom routes. wireguard needs explicit allowance for ips to pass, however the routes automatically created on the interface result in traffic being swallowed on the same as soon as the instruction is to pass either everything or just public networks.