Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Wireguard OPNSense route only one host
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard OPNSense route only one host (Read 5415 times)
trevs
Newbie
Posts: 7
Karma: 0
Wireguard OPNSense route only one host
«
on:
December 09, 2020, 10:26:03 pm »
I have OPNsense running as my firewall, all traffic on my network runs through it.
I've setup wireguard in OPNsense. It's just a client though, I use Torguard as the service providor for VPN. I am NOT trying to connect back into my network via wireguard. Just use wireguard to "protect" me.
Created the NAT-Outbound rule and all traffic on my LAN flows out via wireguard - this is good of course.
However I want to change it so only 1 IP on my network goes through the wireguard and everything else just goes out the WAN.
I'm using Hybrid in the outbound section.
Tried setting the source from LAN Net to the IP I want, but then all devices lose access to internet.
Also tried an alias(my ultimate end goal will be routing just an alias out my wireguard).
I've done searching but it's a mix of people wanting to connect to their own networks via wireguard and some only wanting entire network routed. If someone could point me to a how-to that's my situation, or similar, I'd really appreciate it!
«
Last Edit: December 09, 2020, 10:27:58 pm by trevs
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Wireguard OPNSense route only one host
«
Reply #1 on:
December 10, 2020, 02:09:45 am »
Maybe you can adapt the guides in this thread - particularly in post #29:
https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=15105&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D15105&share_type=t&link_source=app
«
Last Edit: December 10, 2020, 02:21:13 am by Greelan
»
Logged
trevs
Newbie
Posts: 7
Karma: 0
Re: Wireguard OPNSense route only one host
«
Reply #2 on:
December 10, 2020, 03:22:52 am »
I did find that thread and have been trying to follow.
It's anytime I get to the last 2 steps that i"m getting hung up
Create a NAT rule on the Mullvad interface for your LAN network - This was easy enough, but makes it so ALL traffic goes out WG0
Create a firewall rule for your LAN interface directing (selected) traffic to the Mullvad gateway (or the group in my case)
I'm not seeing why I need a gateway for WG0. Or how to route to it though.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard OPNSense route only one host
«
Reply #3 on:
December 10, 2020, 04:29:46 am »
Disclaimer: I haven't configured Wireguard with a commercial VPN provider at this stage (still using OpenVPN with PIA), so I don't have first hand experience of doing this (yet).
But gut feel is that there is something not right with your FW rules.
Have you seen this?
https://imgur.com/gallery/JBf2RF6
Gives an example of routing only 1 IP through the tunnel. I think creating the WG gateway is required so that you can do the more complicated routing.
Logged
Gauss23
Hero Member
Posts: 766
Karma: 39
Re: Wireguard OPNSense route only one host
«
Reply #4 on:
December 10, 2020, 07:48:02 am »
And it's important to tick "disable routes" in WireGuard local config.
Otherwise the default GW will be the WG tunnel. You just want to use policy routing, this is happening within the firewall rules. It's important that those rules are above other unspecific rules, otherwise they are not considered.
Logged
„The S in IoT stands for Security!“
trevs
Newbie
Posts: 7
Karma: 0
Re: Wireguard OPNSense route only one host
«
Reply #5 on:
December 10, 2020, 10:30:50 pm »
Disable routes is now allowing me to keep everything working regardless of the outbound rule. BUT now I can't get anything routed through wireguard.
I've tried following
https://imgur.com/gallery/JBf2RF6
. But when I did it just didn't work at all it seemed. I guess I don't understand the purpose in that link of using an alias to represent the "normal" network. And then at the very end it appears anything that is NOT part of the normal network is supposed to use regular WAN - very last rule under the words Optional Step...
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Wireguard OPNSense route only one host
«
Reply #6 on:
December 10, 2020, 11:55:19 pm »
How I interpret those rules is:
if a packet comes into the LAN interface from the single IP 192.168.2.102 and is not destined for another IP on the local network, then allow that packet out via the WG (external) gateway
otherwise, if a packet comes into the LAN interface from any other IP and is not destined for another IP on the local network, then allow that packet out via the normal WAN gateway
Which is what you are trying to achieve, correct?
Order of the rules is important.
«
Last Edit: December 11, 2020, 02:18:06 am by Greelan
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard OPNSense route only one host
«
Reply #7 on:
December 13, 2020, 07:11:16 am »
[mention]trevs [/mention] Did you have any luck getting this to work?
I had a go over the weekend setting up a WG tunnel with PIA, and it seemed to work. I was able to tunnel just the (IPv4) IP of my iPhone over the tunnel, and the rest of my network seemed unaffected.
I essentially followed the guide posted by Jonny on imgur, although I didn’t bother with the firewall rule to allow all other LAN clients out of the normal WAN gateway, as I figured the standard “allow LAN to any” rule would deal with that. I just had to make sure that the rule for the iPhone IP was above that standard rule.
I also didn’t try the “kill switch” settings as this was only a test run. When I eventually switch from OpenVPN to WG to PIA I will likely do that, and also deal with IPv6. In my test my IPv6 address from my iPhone was leaking out of the normal WAN gateway as I had not addressed IPv6.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Wireguard OPNSense route only one host
«
Reply #8 on:
December 13, 2020, 08:58:59 am »
Oh, and in the NAT outbound rule I only included the single iPhone IP, not the whole LAN network.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Wireguard OPNSense route only one host