[SOLVED] Wireguard selective routing

[nikkon]

Hi folks,

I am reopening this topic hoping that some of you may be able to help me. I spent the last week trying to figure this out and there is something off here.

I on OPNsense 24.7.7-amd64 and as for VPN provider I am using Surfshark.
I'll post here a short description of my setup:
I am trying to route via Surfshark WireGuard the a few hosts from the Lan network named VPN_VLAN10 (172.16.20.1/29)

Step 1:
I created the wireguard setup:
wg2 is the device under instances. as in the following attachement it looks connected however it never receives any traffic.

Step 2:
I assigned a virtual interface to WG2 and I named Surfshark_VPN.

Step 3:
I created a new Gateway which unfortunately doesn't connect.

Step 4:
I add the NAT outbound rule
Surfshark_VPN   any   *   *   *   Interface address   *   NO   

Step 5:
I add the firewall rule on the Lan interface I want to use this connection as gateway
IPv4 *   torrent_host_ip_lan    *   *   *   SURFSHARK_Wireguard   *

Now, from the host specified at step5 I cannot ping anyware, neither 172.16.20.1 which is the gateway for the VPN_VLAN10 lan network.
There is something I am completely missing, but I simply can't see it. on one hand the wireshark gateway is not connecting, second when I activate the routing via SURFSHARK_Wireguard gateway rule on the lan interface, I can't reach the lan gateway anymore.

Any suggestion at this point is highly appreciated.

Thank you

[Bob.Dig]

Step 1:
I created the wireguard setup:
wg2 is the device under instances. as in the following attachement it looks connected however it never receives any traffic.

I can't see your attachment.

[nikkon]

Just realized they haven't went through as the size is to big. Let me re do

[nikkon]

here they are

https://ibb.co/GkCkRy5
https://ibb.co/5KPHSHY
https://ibb.co/k1RfZsT
https://ibb.co/Z1b3x58
https://ibb.co/n8MdYJP

[Bob.Dig]

Your rules etc. don't look to good... But that is not important if you have no handshake to begin with. Set up keep alive in the WireGuard config of 25 seconds and see if you get one. If not, your WireGuard config is your (first) problem. Show more of that.

[nikkon]

I've switch the WireGuard to openvpn. I'll fix the WireGuard config later. However the same config file works on desktop - something to check out for me.
Next, I've changed the interface from wg2 to openvpn1.
What have you noticed in the rules? I can't figure out the mistakes ☹️
Thank you

[Bob.Dig]

Let's stick with WireGuard. It is not a good idea to change stuff randomly, you won't learn anything. Just trial and error is no strategy for configuring a firewall imho.

[nikkon]

you're right as well.
Wireguard is back.

wg2 seems connected but 0 traffic

https://ibb.co/2FPm6xM

[Bob.Dig]

wg2 seems connected but 0 traffic

It is not connected because there is no handshake. Let's have a look at your WG-config on OPNsense.

[nikkon]

this is how it looks like now:

root@yoda:/usr/local/etc/wireguard # cat wg2.conf
####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  10.14.0.2/16
# DNS =
# MTU =
# disableroutes = 1
# gateway =

[Interface]
PrivateKey = kMfvy7/6Ec4d73ERKJ90MqUkMug9Kh********
ListenPort = 51820

[Peer]
# friendly_name = WireGuard_tbs
PublicKey = L79E4IoaVZBXOyoMM82TvUIbiKlloR*******
Endpoint = ge-tbs.prod.surfshark.com:51820
AllowedIPs = 0.0.0.0/0

[Bob.Dig]

this is how it looks like now:

Ok, now have you uploaded your EDIT: public key to surfshark or got your private key from them? This is mandatory. Also have you enabled keep alive...

[nikkon]

the private key needs to be generated on the surfshark portal - so I did.
as in this : https://zone13.io/opnsense-surfshark-selective-traffic-routing-using-wireguard-2/
they don't specify the need for a keep alive value but I'll add 20s.
---
3 min later: I get traffic only for send. nothing received still

interface: wg2
  public key: OcSv/oo0elDtDPmGQ+5zVr0jUWUSUBfS7*********
  private key: (hidden)
  listening port: 51820

peer: L79E4IoaVZBXOyoMM82TvUIbiKlloRb*********
  endpoint: 83.97.115.18:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 3.32 KiB sent
  persistent keepalive: every 20 seconds

[Bob.Dig]

they don't specify the need for a keep alive value but I'll add 20s.

See my edit above, also check for a handshake on the WireGuard Status screen.

[nikkon]

you were right! the connection was broken. now it works.
interface: wg2
  public key: IiTLluo4hmsCYRq9Ln25Dj7sXn0zq9Ik********
  private key: (hidden)
  listening port: 51820

peer: L79E4IoaVZBXOyoMM82TvUIbiKlloRbUn********
  endpoint: 83.97.115.18:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 34 seconds ago
  transfer: 184 B received, 680 B sent
  persistent keepalive: every 20 seconds

step1 done.
now let's see the rules.

1. I have no rules for the virtual interface mapping wg2.
2. the lan interface where I plan to use this as gateway has the following rule:
https://ibb.co/4JdGFHT
3. NAT outbound
https://ibb.co/Px5sskg

one interesting situation is this: when I add SURFSHARK_Wireguard as gateway for a specific host in the VLAN10 lan, If I ping the VLAN10 gateway from the host itself, I can't get to it.

[nikkon]

I got the rule fixed. Thanks Bob.Dig
you helped me fixed this

my VLAN10 rule was wrong