Wireguard Gateway

[iwex]

Hi guys. I want to use wireguard gateway to redirect traffic using firewall rules and aliases. How should I create a new Gateway for wireguard? Maybe I forgot to add something to firewall?
Here is my settings:
Server:

Code: [Select]

[Interface]
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XXX

[Peer]
PublicKey =XXX
AllowedIPs = 10.8.0.2/32


[mimugmail]

Why do you use iptables rules? Is OPN the server or the client?

[iwex]

I have wireguard server on VPS, found these iptables rules in some guides. If I connect to this server from my own PC - ping to 10.8.0.1 is working, and all my traffic go through wireguard.

[mimugmail]

You only need an assigned gateway if OPNsense is configured as client.
Just follow this guide:

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

[iwex]

I saw that guide but, but it doesn't help. That guide is a bit old because gateway IP "dynamic" is not working

[mimugmail]

Again, you don't need a gateway, just dont go through this step

[iwex]

I need a gateway to specify it in Firewall Rules https://i.imgur.com/0jOzNit.png

[mimugmail]

I don't get it, when OPN is your server, why to you need routing rules? This doesn't make sense ..

[iwex]

No, OPNsense is client. I have a server on some VPS

[mimugmail]

Then you need to set "Disable Routes" in local instance, hit advanced and put in the gateway field the IP address of your VPS service. Then you can assign a gateway and add policy routes

[iwex]

Wow, thank you! I didn't see Advances button 

[mimugmail]

I had to hide it because the chances are high everyone puts in some value there without reason

[Voodoo]

@mimugmail im having the same issue with wireguard and cant get it solved. I hope you have some time and can take a look at my config.

Im trying to route a single host of my lan (192.168.1.170) over a wireguard vpn.

I've setup the wireguard connection, opnsense as client, added outbound nat and a gateway redirect for local client, created firewall pass rules.

Everything seems fine as i can ping the wireguard gateway from my local lan client. So nat and gateway redirect are working.

But any other request to public wan does not route over the gateway. Only when i set allowed ip's to 0.0.0.0/0, but then everything is routed over the gateway not just the single host.

WG Gateway: 10.127.127.1/24
OpnSense WG Client: 10.127.127.2/24
Local Client: 192.168.1.170/24 ( should route over WG Gateway )

Ping from 192.168.1.170 -> 10.127.127.1 works (nat translation from 192.168.1.170 to 10.127.127.2)
ping from 192.168.1.170 -> 1.1.1.1 public wan is stuck, wireguard gateway does not receive any package

Its seems like im missing something with the wireguard configuration.

Every interface has a pass any rule for testing.

Please advise.

https://i.imgur.com/V26UTDK.png

[mimugmail]

You have to disable adding routes, assign interface, add gateway, do pbr for single client. Just search the forum, plenty of questions asked and asnwered

[Voodoo]

Thats exactly what i did, can be seen in the screenshots.

I will try to continue searching other threads..