Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Route a VLAN to the Internet through WireGuard tunnel
« previous
next »
Print
Pages: [
1
]
Author
Topic: Route a VLAN to the Internet through WireGuard tunnel (Read 6994 times)
azeemk
Newbie
Posts: 3
Karma: 0
Route a VLAN to the Internet through WireGuard tunnel
«
on:
November 30, 2020, 02:48:46 pm »
Hi,
A relative newbie to professional routers here. So, If this has been solved before, please point me to the correct thread or website.
I have a VLAN that I want to route through a WireGuard tunnel for Internet access i.e. 0.0.0.0/0.
The general LAN network and this VLAN are currently using the standard WAN. Each of these have their own DHCP server on the router.
The WireGuard tunnel is already setup and working (handshakes are seen in the UI). The peer has allowed ips of the tunnel and not 0.0.0.0/0
A WireGuard interface for this tunnel has also been created with default values.
As far as I can guess, I would need to
A) create a new gateway on the wireguard interface
B) create an outbound NAT rule for the vlan network
C) create firewall rules.
Unfortunately I don’t know what these should look like and with what values.
Any pointers on solving this are appreciated.
Regards,
Azeem
Logged
cyrus104
Newbie
Posts: 39
Karma: 1
Re: Route a VLAN to the Internet through WireGuard tunnel
«
Reply #1 on:
December 01, 2020, 03:47:13 pm »
Sounds like you are pretty much there. I've been using this for split tunneling for awhile and it's working pretty well.
Settings for the Gateway:
Interface is the WG named interface that is used in Interfaces
IP Address was manually set to the internal IP address to the wireguard server WG server that I'm connecting to. For me it's a .1 while the address that I'm using for my router is .2 set in the VPN/Wireguard settings.
Upstream Gateway: unchecked
Far Gateway: checked
I have been using the Hybrid setting for my NAT, so I manually created a new NAT rule:
Interface name is the same as the Gateway being my WG named interface
TCP/IP: IPv4
Protocol: any
Source: any
Destination: any
Translation/target: Interface address
Firewall rule:
I made a very simple change in the VLAN that I wanted to push over WG instead of directly to the WAN. In the final rule that put everything to WAN, I change the Gateway to WG Gateway that I created and named in step one.
I do find that I need to restart the WG server after these settings to make sure that everything comes up as expected. Finally I check the external IP address on the machines that are on that VLAN to ensure they are all going through the WG tunnel.
Side note: I did go to and use both WG guides in docs.opnsense.org but I found them both to have issues. I did send an email with some corrections that all it to work for me but I haven't heard anything.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
«
Last Edit: December 01, 2020, 03:48:59 pm by cyrus104
»
Logged
azeemk
Newbie
Posts: 3
Karma: 0
Re: Route a VLAN to the Internet through WireGuard tunnel
«
Reply #2 on:
December 02, 2020, 05:20:50 pm »
Thank you so much. I need to digest this and try this over the weekend. I will post my experience here.
Logged
azeemk
Newbie
Posts: 3
Karma: 0
Re: Route a VLAN to the Internet through WireGuard tunnel
«
Reply #3 on:
December 07, 2020, 02:52:56 pm »
Hi,
I tried to do this over the weekend and I am sorry to say it did not work. The handshakes happen. If I ping the remote IP on the tunnel, no response. The dashboard shows the tunnel gateway as offline. The VLAN network is 192.168.26.0/24 (on VLAN 26). Not clear what is wrong. Let me detail the particulars. If you can suggest something that would be great.
[VPN Wireguard Local]
Enabled = ticked
Name = Chand
Instance = 1
Public Key = something
Private Key = something
Listen Port = 61920
DNS Server = 1.1.1.1, 192.168.0.8
Tunnel Address = 10.26.0.4/24
Peer = ChandRaspberry
Disable Routes = ticked
[VPN Wireguard Endpoint]
Enabled = ticked
Name = ChandRaspberry
Public Key = something
Shared Secret = empty
Allowed IPs = 0.0.0.0/0
Endpoint Address = something
Endpoint Port = 61920
Keepalive = 27
[Gateway GW_ChandVpn]
Disabled = not ticked
Name = GW_ChandVpn
Description = empty
Interface = ChandVpn
Address Family = IPv4
IP Address = 10.26.0.1
Upstream Gateway = not ticked
Far Gateway = ticked
Disable Gateway Monitoring = not ticked
Monitor IP = empty
Mark Gateway as down = not ticked
Priority = 255
Advanced = defaults
[Interface ChandVpn]
enabled = ticked
lock = ticked
Device = wg1
Block Private Networks = not ticked
Block Bogon Networks = not ticked
IPv4 configuration type = Static IPv4
IPv6 configuration type = None
Mac Address, MTU, MSS not set
Dynamic Gateway policy = not ticked
Static IPv4 configuration = 10.26.0.4
IPv4 Upstream Gateway = GW_ChandVpn - 10.26.0.1
[Firewall NAT Outbound]
Automatic Rules are there for WAN1, ChandVpn for LAN, VLAN network, Loopback network, 127.0.0.0/8
Manual Rule
-----------
Disabled = not ticked
Do Not NAT = not ticked
Interface = ChandVpn
TCP/IP Version = IPv4
Protocol = any
Source Invert = not ticked
Source Address = any
Source Port = any
Destination Invert = not ticked
Destination Address = any
Destination Port = any
Translation Target = unset
Log = not ticked
Translation / Port = unset
Static Port = not ticked
Pool Options = Default
Remaining options not set
No Firewall Rules defined for Interface ChandVpn
Thanks.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Route a VLAN to the Internet through WireGuard tunnel