wireguard tunnel flooding all networks

[derpingit]

hi guys, i've been trying to get PBR working on my opnsense box but i'm having some trouble; i've followed several guides, including the opn documentation (step by step), and others, but i have been unable to complete my project; my main objective is to have a wifi vlan where all traffic gets routed to my vpn provider (torguard).

I've completed the following steps (in no particular order)


installed wireguard plugin
configured local and endpoint information
assigned an interface  to wg0
created a new gateway utilizing the wg0 interface
created outbound NAT rule
created rules for the interface where the tunnel lands

with that said, when i enable wireguard, the traffic for my entire network drops; my noob assesment is that the traffic is flooding all interfaces. i will leave a few screenshots if it helps.

thank you for halp.

[derpingit]

one more attachment. please note that the "gateway" configuration slide has "guest" under interface, but that's only because once i disable wireguard, the gateway i created is no longer available. i am having to disable wireguard to get internet connectivity on my main network.

[Greelan]

You need to disable routes for selective routing - as the docs indicate. Also you have put your fw rules on the wrong interface - assuming “VPN” is not the wifi vlan interface

Suggest you work through the selective routing how-to again

[derpingit]

hi greelan thank you very much for your reply. i have recreated the local and endpoints multiple times thinking the wireguard tunnel is what's messing me up. good catch on the "selective routing check" :| .. that's what i get for staring at this for so long. as for the rules? VPN is the interface that corresponds to the vlan i set up for this purpose. after checking said box, my lan network keeps working (yeeeeeeeeeei) .. however, i am unable to stablish any kind of connection within the tunnel. doing a traceroute only gives me 1 hop, and that is, my router.
thank you for your time.

[Greelan]

Your Tunnel Address should be a /32 on the Local config

Also try stopping WG, then starting it again

Quite possibly your block rule stopping VPN net from accessing the router is causing an issue

[derpingit]

hi and thanks again.

the config file i got from my vpn is as follow (minus keys) so i used 10.13.0.61/24 . i should mention this VPN interface is on 192.168.4.1/24 and DHCP is on .. does that matter?
thanks in advance.,

# TorGuard WireGuard Config
[Interface]
PrivateKey = secret
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.13.0.61/24

[Peer]
PublicKey = secret
AllowedIPs = 0.0.0.0/0
Endpoint = 96.47.239.26:1443
PersistentKeepalive = 25

[Greelan]

Try it with the /32

No, no issue with the VPN net being different - it should be

Double check the keys you have configured. The private key in the interface config should go into the local config on OPNsense (leave public key empty), and  the public key in the peer config should go into the endpoint config on OPNsense. As an aside, it’s not great from a security perspective that torguard supplies your local private key, but anyways…