WireGuard Site to Site | Alternative Internet Access

[SkeelKat]

I have successfully created a Site-to-Site WireGuard VPN between two sites.

Site A
LAN: 172.16.1.0/24
WG: 10.2.2.1/24
Interface Assigned Manually and Allow IPV4* Rule Added


Site B
LAN: 192.168.200.0/24
WG: 10.2.2.2/24

Interface Assigned Manually and Allow IPV4* Rule Added
Added Gateway: 10.2.2.1/24

I can route flawlessly between A & B without any issues, but I have one host on Site B that must use the default WAN gateway of Site A to connect to the Internet (because of the public IP it needs to present outbound)

I created a rule to force use the Gateway Created on Site B to route over to 10.2.2.1 on Site A, but I cannot get Site A to forward that traffic via its WAN gateway. I just get Destination Host Unreachable.

How can I allow the traffic originating from the single host on Site B to pass to the gateway of Site A?

Any help would be appreciated.

[Bob.Dig]

Do you

• created the allowed IPs with 0.0.0.0/0?
• enabled NAT for WireGuard?
• If not, created outbound NAT-rules for Site B on Site A?

[SkeelKat]

Hi Bob,

created the allowed IPs with 0.0.0.0/0?
I did add this in the peer configuration; however, this pushes a route in OPNSense that force all traffic over WireGuard from all clients in the LAN. I just need this for 1 client machine.

enabled NAT for WireGuard?
Outbound NAT rules was setup on both sides yes. This is needed for my "Road Warriors" using another WG instance




When doing a ping from client in Site B, and doing a packet capture I can see the client 192.168.200.220 is sending the ICMP request to 10.2.2.2 to 10.2.2.1 and then 10.2.2.1 immediately replies unreachable. So the issue is somewhere that 10.2.2.1 is not passing the traffic to the WAN on Site A