English Forums > Virtual private networks

Permitting a host to use two different WireGuard tunnels

(1/1)

Koloa:
Hi,

I have several WG interfaces defined on my OPNsense box.  One (wg1) is for Mullvad VPN, with 0.0.0.0/0 as the AllowedIPs.

On another WG interface (wg2), I have a series of IP addresses or networks (100+) defined as the Allowed IPs.

I would like a specific host on my LAN to be able to use either, depending upon what the destination is.

In other words:  If the destination network IP address is one of the AllowedIPs on wg2, send the traffic to that WG gateway.  If it is NOT one of those IPs, then, use the Mullvad VPN on wg1.

I can get either situation to work separately, but, not both simultaneously.

So, if I put the host in the Alias for the wg2 network, and only in that Alias, traffic will go out wg2 for those AllowedIPs, and out my WAN for anything else.  If I put it in the wg1 permitted alias, it goes out Mullvad just fine, but, can't reach any of the hosts in the AllowedIPs for wg2.

I've followed the guide at: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

And that's helped considerably, but, I'm missing something in creating the Firewall rules (probably) that would permit this.  I may also be mucking up the destination network definition of RFC1918 addresses as per that guide.

I have included ONLY my LAN IP network in that definition, as some of the IP address that are behind wg2 are in other RFC1918 space, so it seemed unwise to include those.  I also wasn't sure if I should include local WireGuard IP addresses or networks in this excluded RFC1918 alias definition.

My reading of the point of Step 8 was to "permit inbound traffic to the LAN interface from the hosts in the defined alias and NOT intended for the local RFC1918 used networks to go out through the defined WireGuard gateway".

I'm probably just getting a bit blind to the Interface and Floating rules, NAT outbound rules, and Aliases, to make this all work, but, would appreciate any insight into the best way to accomplish my goal.

Thank you!

Bob.Dig:
You create rules one by one, top to bottom, first match wins. Make screenshots of your rules and explain your problem by an example with it.

Koloa:
Thanks for the reminder, Bob.Dig - it was actually enough to help me solve this by thinking about the problem differently.

I was trying to solve it using only the tips in the Guide for selective routing on WireGuard/Mullvad, and, as you rightfully point out, simply looking at my problem as a "rules" problem helped.

So, the solution, for anyone who looks into this in the future, was for me to create an Alias for Networks which represented the networks in my wg2 AllowedIps.  Sadly, this does mean that if I change the IPs I have to change it in two places, but, that's not a common scenario.

Once the Alias existed, I made a new Firewall -> Rules -> LAN rule which permitted with a Quick Pass on In traffic from the "permitted" Alias to reach the new NetworkAlias which represents the AllowedIPs from the wg2.

As this rule is high enough in the list, it's matched first, and traffic goes out wg2 as needed.

For anything else, the rules processing proceeds to the wg1 interface for Mullvad, and everything works as I wanted.

Next up - load balancing across two simultaneous WireGuard links to Mullvad!

Koloa:

--- Quote from: Koloa on September 24, 2022, 06:58:09 am ---Next up - load balancing across two simultaneous WireGuard links to Mullvad!

--- End quote ---

Mission accomplished.

I may write up a Tutorial on this, if there is interest.

I have now configured my OPNsense device to have two different VPN links running, with full load balancing between them. 

In my case I'm using Mullvad, but, I'll likely throw in another VPN provider I use.

It was relatively simple to sort out, once I wrapped my head around both the Multi-WAN and Multi-VPN concepts (NAT, routing rules, gateways).

kraftnix:
Hey,

I am trying to wrap my head around Multi-WAN + Wireguard and I can't seem to get it quite right.

Would you mind elaborating on how you got it working?

Navigation

[0] Message Index