Route traffic from Site A to Site B through WG Tunnel out WAN Site B

[MPGxxxLegend]

I would like to route the data traffic as shown in the network diagram. Device X (debian_test_vm) should use the red path through the WG tunnel to the WAN of site B.
Here I will upload necessary pictures https://imgur.com/a/lqIS3ur.
I have set up all the necessary rules, but the WAN at site B is not working, as I found out when troubleshooting, I think.

What is working so far is the tunnel itself. I can ping device Y from device X as I can see in the live log view.

Another thing I see, but I am not sure if it is a miss understanding, shouldn't there be the Gateway of WG Tunnel Gateway 10.250.0.2?

Code Select Expand

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1  10.20.10.1 (10.20.10.1)  0.746 ms  0.703 ms  0.678 ms
2  10.20.10.1 (10.20.10.1)  0.626 ms !H  0.620 ms !H  0.572 ms !H

traceroute to site B device

Code Select Expand

traceroute to 10.42.0.10 (10.42.0.10), 30 hops max, 60 byte packets
1  10.20.10.1 (10.20.10.1)  0.589 ms  0.559 ms  0.535 ms
2  10.250.0.2 (10.250.0.2)  10.999 ms  10.972 ms  10.946 ms
3  10.42.0.10 (10.42.0.10)  10.924 ms  10.871 ms  10.816 ms

Also packet capture does not show any traffic on the WG Tunnel incoming to not local ip addresses, like ping 1.1.1.1 is not showing up.

Code Select Expand

Interface Timestamp SRC DST output
***VPN
wg0 2024-09-08
23:05:14.429997 length 88: 10.20.10.90 > 10.42.0.10: ICMP echo request, id 9067, seq 1, length 64
***VPN
wg0 2024-09-08
23:05:14.430216 length 88: 10.42.0.10 > 10.20.10.90: ICMP echo reply, id 9067, seq 1, length 64
***VPN
wg0 2024-09-08
23:05:15.431483 length 88: 10.20.10.90 > 10.42.0.10: ICMP echo request, id 9067, seq 2, length 64
***VPN
wg0 2024-09-08
23:05:15.431676 length 88: 10.42.0.10 > 10.20.10.90: ICMP echo reply, id 9067, seq 2, length 64

Other troubleshooting tipps?

[MPGxxxLegend]

It could be my solution
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
The specific non local traffic gets routet through tunnel and translated to the WAN of site B. I tried at ping to 1.1.1.1, the live log shows the Nat Rules is working, but I think its not possible to get a reply from 1.1.1.1 because of the outbound nat? now the request ist not 10.20.10.90 but the public WAN IP?
Do I need to translate it back to the WG Tunnel?

[rafal72]

I am in the boat as your configuration except I want to route all Internet traffic via the opposite sites.
Site A --> WireGuard VPN --> Site B WAN and Site B --> WireGuard VPN --> Site A WAN. My WG tunnel works and I can reach local hosts between both sides. However, I was unable to route traffic to the internet. I have spent and tried many different configurations and nothing seems to work yet.

Anyway, please post an update if you find a way to get this working.

[rafal72]

I was able to figure this out and I have all working. Wireguard-selective-routing document linked in your post above has all the ingredients.

You need to enable GW on Site B under "WireGuard instance" --> advance mode -->  select disable route and input IP address for your GW. This could be any available IP from your tunnel subnet (see step 2)

On site A, create a new GW (use IP assigned on Site B). You need a few FW rules and NATing etc. Pretty much almost all the steps from this guide apply to side A. You can skip step 2 on-site A as this would only apply to site B (uni-directional) in your example. Step 9 - Configure routing, is also not not required.