Nat on wireguard gateway

Started by FredFresh, February 09, 2026, 06:31:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2026, 06:31:05 PM
The guide about road warrior wireguard connection explain how to set the outbound nat rule, my question is: if I route the connections through the wireguard gateway giving to it an higher priority than wan and setting it as "possible default gateway", I still need the nat outbound rule?

NAT oubound rule is by default enabled only on wan gateway?
February 09, 2026, 10:25:13 PM #1
Quote from: FredFresh on February 09, 2026, 06:31:05 PMThe guide about road warrior wireguard connection explain how to set the outbound nat rule, my question is: if I route the connections through the wireguard gateway giving to it an higher priority than wan and setting it as "possible default gateway", I still need the nat outbound rule?
I'm wondering, which route you're talking about.
Since you mentioned a road warrior wireguatd, you might route the whole upstream traffic from the clients over the VPN. But these routes are only defined on client side. So the route priority might just secure that upstream traffic is routed to the VPN server.

If so, yes, you need an outbound NAT rule for translating the source IP in upstream packets from VPN clients into the WAN address.

Quote from: FredFresh on February 09, 2026, 06:31:05 PMNAT oubound rule is by default enabled only on wan gateway?
Yes, but it only nats upstream traffic from local subnets, but not from VPN subnets.

So you have to enable the hybrid mode and add a rule to WAN for the source of the VPN subnet and specify the WAN address as translation.
February 10, 2026, 08:08:51 PM #2
I have a setup that is based on road warrior but it is different: i do not use a specific firewall rule to route designated clients to wireguard, but I activate "Allow default gateway switching" and " Upstream Gateway" in each wireguard gateway.
This way each wireguard gateway should be equivalent to a WAN and I can route the traffic (both of the clients and of the firewall -i.e. unbound dns) just setting the priority level.
Using the gateway dpinger, in case a gateway is marked as down, automatically you switch to the next one.

I hope this better clarify my setup.

My question come also because here https://docs.opnsense.org/manual/how-tos/wireguard-client.html it is reported:

Code Select
Step 4(a) - Assign an interface to WireGuard (recommended)�

Hint

This step is not strictly necessary in any circumstances for a road warrior setup. However, it is useful to implement, for several reasons:

First, it generates an alias for the tunnel subnet(s) that can be used in firewall rules. Otherwise you will need to define your own alias or at least manually specify the subnet(s)

Second, it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule

Finally, it allows separation of the firewall rules of each WireGuard instance (each wgX device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance
From this, it seems that NAT outbound rule is created automatically.
Print
Go Up Pages1
User actions