[SOLVED] Route traffic through Server and home LAN to the internet (Wireguard)

[Rs8ZOn2AL8]

Hello OPNSense-Friends,

I want to create a VPN with Wireguard to secure my devices if I'm not at home. I have a server in a datacenter, where I can connect to. But I don't want this to be the exit-point, because it has an (easy trackable) static IP. Therefore I want to route the traffic through the server, over my home LAN and then to the internet (see scheme in attachment ).

I already have the Wireguard service configured and running. I can connect my mobile phone (home-away) and my raspebrry pi (home) to the server. I can also connect from the mobile phone to the Raspberry Pi. So the VPN is working and only the routing must now be configured.

When I set a NAT outbound rule (with the WAN address), then the mobile phone connects to the internet through the server.
But I haven't figured out how I can also route the traffic from the Wireguard net through the Raspberry Pi.

I tried many things, but mostly I thought this two options should be needed:
- Set a NAT outbound rule:  NAT Address is the Raspberry PI IP-Address
- firewall rule: source from Wireguard-NET set a Gateway with Raspberry PI IP-Address

I have tcpdump on the Raspberry PI running, to verify that currently the traffic is not routed to the Raspberry PI.

Address Information:

Code Select Expand


  - Wireguard Subnet: 10.20.30.0/24
  - OPNSense:         10.20.30.1
  - Raspberry-PI:     10.20.30.5
  - Mobile Phone:     10.20.30.6


So basically I want to route this way:

Code Select Expand


10.20.30.6  ->  10.20.30.1  -> 10.20.30.5  -> Internet (0.0.0.0/0)


tl;dr I want a VPN network, where I can route the traffic to my home network to the internet (see diagram in attachment).

Thanks for any help!
Rs8ZOn2AL8

edit: Add IP address information

[Kieeps]

How is the wireguard tunnel set up?
If you use the plugin to do the routing you should only need to set 0.0.0.0/0 as the "allowed ip" on the data center side of the config and the home config should have the datacenter subnet as "allowed ip".

One other way to do it in opnsense is to assign the wgX to a interface and it's own gateway, that way you could controll it a bit better.

[Rs8ZOn2AL8]

Thank you very much for your reply.

If you use the plugin to do the routing you should only need to set 0.0.0.0/0 as the "allowed ip" on the data center side of the config and the home config should have the datacenter subnet as "allowed ip".

The problem is, that I only want the devices which are connected to the VPN should use the Exit-Point.
The server (host) itself shouldn't use the Raspberry PI (VPN) as Exit-Node (see blue arrow in scheme).

One other way to do it in opnsense is to assign the wgX to a interface and it's own gateway, that way you could controll it a bit better.

I think I did/want that, but it doesn't work. I attached 3 images, which show the Wireguard, Interface and Gateway configuration.
Is there anything I should do differently?

[Greelan]

On an unrelated note, you shouldn't use fc... for your ULAs, rather fd... :)

[Rs8ZOn2AL8]

@Greelan Thanks for the ULA tip. Got my IPv6 working because of this.

And the main topic: I could figure it out.
I found this official tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#introduction

I'm not sure, what exactly was wrong, but now it works. Many thanks!  :)

[Greelan]

Glad you found the tutorial useful (I wrote it :) )

Two points to note that may not affect your setup that I wrote about here: https://forum.opnsense.org/index.php?topic=22401.0

I've submitted an update for the howto on GitHub for the DNS issue but that hasn't been applied to the website yet

[Rs8ZOn2AL8]

Thanks for the additional information! :)

I haven't set any DNS Server, yet. And also I haven't needed the NAT outbound rule. The firewall rule with an gateway configured is enough.
But my goal is also a bit different than the tutorial.