Wireguard OPNSense route only one host

Started by trevs, December 09, 2020, 10:26:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2020, 10:26:03 PM Last Edit: December 09, 2020, 10:27:58 PM by trevs
I have OPNsense running as my firewall, all traffic on my network runs through it.
I've setup wireguard in OPNsense. It's just a client though, I use Torguard as the service providor for VPN. I am NOT trying to connect back into my network via wireguard. Just use wireguard to "protect" me.
Created the NAT-Outbound rule and all traffic on my LAN flows out via wireguard - this is good of course.
However I want to change it so only 1 IP on my network goes through the wireguard and everything else just goes out the WAN.
I'm using Hybrid in the outbound section.
Tried setting the source from LAN Net to the IP I want, but then all devices lose access to internet.
Also tried an alias(my ultimate end goal will be routing just an alias out my wireguard).

I've done searching but it's a mix of people wanting to connect to their own networks via wireguard and some only wanting entire network routed. If someone could point me to a how-to that's my situation, or similar, I'd really appreciate it!
December 10, 2020, 02:09:45 AM #1 Last Edit: December 10, 2020, 02:21:13 AM by Greelan
December 10, 2020, 03:22:52 AM #2
I did find that thread and have been trying to follow.
It's anytime I get to the last 2 steps that i"m getting hung up
Create a NAT rule on the Mullvad interface for your LAN network - This was easy enough, but makes it so ALL traffic goes out WG0


Create a firewall rule for your LAN interface directing (selected) traffic to the Mullvad gateway (or the group in my case)



I'm not seeing why I need a gateway for WG0. Or how to route to it though.
December 10, 2020, 04:29:46 AM #3
Disclaimer: I haven't configured Wireguard with a commercial VPN provider at this stage (still using OpenVPN with PIA), so I don't have first hand experience of doing this (yet).

But gut feel is that there is something not right with your FW rules.

Have you seen this? https://imgur.com/gallery/JBf2RF6

Gives an example of routing only 1 IP through the tunnel. I think creating the WG gateway is required so that you can do the more complicated routing.
December 10, 2020, 07:48:02 AM #4
And it's important to tick "disable routes" in WireGuard local config.
Otherwise the default GW will be the WG tunnel. You just want to use policy routing, this is happening within the firewall rules. It's important that those rules are above other unspecific rules, otherwise they are not considered.
,,The S in IoT stands for Security!" :)
December 10, 2020, 10:30:50 PM #5
Disable routes is now allowing me to keep everything working regardless of the outbound rule. BUT now I can't get anything routed through wireguard.

I've tried following https://imgur.com/gallery/JBf2RF6. But when I did it just didn't work at all it seemed. I guess I don't understand the purpose in that link of using an alias to represent the "normal" network. And then at the very end it appears anything that is NOT part of the normal network is supposed to use regular WAN - very last rule under the words Optional Step...
December 10, 2020, 11:55:19 PM #6 Last Edit: December 11, 2020, 02:18:06 AM by Greelan
How I interpret those rules is:

  • if a packet comes into the LAN interface from the single IP 192.168.2.102 and is not destined for another IP on the local network, then allow that packet out via the WG (external) gateway
  • otherwise, if a packet comes into the LAN interface from any other IP and is not destined for another IP on the local network, then allow that packet out via the normal WAN gateway

Which is what you are trying to achieve, correct?

Order of the rules is important.
December 13, 2020, 07:11:16 AM #7
[mention]trevs [/mention] Did you have any luck getting this to work?

I had a go over the weekend setting up a WG tunnel with PIA, and it seemed to work. I was able to tunnel just the (IPv4) IP of my iPhone over the tunnel, and the rest of my network seemed unaffected.

I essentially followed the guide posted by Jonny on imgur, although I didn't bother with the firewall rule to allow all other LAN clients out of the normal WAN gateway, as I figured the standard "allow LAN to any" rule would deal with that. I just had to make sure that the rule for the iPhone IP was above that standard rule.

I also didn't try the "kill switch" settings as this was only a test run. When I eventually switch from OpenVPN to WG to PIA I will likely do that, and also deal with IPv6. In my test my IPv6 address from my iPhone was leaking out of the normal WAN gateway as I had not addressed IPv6.
December 13, 2020, 08:58:59 AM #8
Oh, and in the NAT outbound rule I only included the single iPhone IP, not the whole LAN network.
Print
Go Up Pages1
User actions