Route all WAN traffic over Wireguard connection

[RunnersNum45]

I would like to route all the internet traffic from my OPNsense router over a Wireguard VPN to a VPS. I would like to do this to provide a static IP for my home network, avoid worrying about a double NAT, and to have a secure connection to the internet.

I am confused about how to configure OPNsense such that all the traffic from the LAN is routed over the VPN. I have done some setup but I am not sure if it is correct. I would appreciate any help in understanding how to configure this.

With the setup documented below I can ping the router at `10.0.0.2` from other devices on the VPN. The router has internet access and can ping the VPS at `10.0.0.1`. However devices on the LAN cannot access the internet. I suspect that this issue is with the firewall rules on the OPNsense router.

## VPS Configuration

I have a VPS running Ubuntu 20.04.4 configured as a Wireguard Peer. It has a static IP and I would like all internet facing traffic to be routed through it. It has UFW enabled and the following rules are in place.

```bash
~# ufw status
Status: active

To                         Action      From
--                         ------      ----
51820/udp                  ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
51820/udp (v6)             ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
```

This is the `wg-quick` configuration file for the VPS (keys obscured)
`wg0.conf`
```conf
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s7 -j MASQUERADE
ListenPort = 51820
PrivateKey = PrivateKeyA

# Laptop
[Peer]
PublicKey = PublicKeyC
PresharedKey = PSKC
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

# OPNsense
[Peer]
PublicKey = PublicKeyB
PesharedKey = PSKB
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
```

## OPNsense Configuration

I have an OPNsense 24.1 router running on a Protectli FW2B. On the LAN side I have all of my personal network on the `192.168.1.0/24` subnet. On the WAN side it is connected to an ISP provided router/modem. I am assuming that the VPN allows me to ignore the double NAT problem, please let me know if this is not the case.

### Wireguard Configuration

I have added the VPS as a Wireguard Peer and have the following configuration.

- **Name**: VPS_peer
- **Enabled**: Checked
- **Name**: VPS
- **Public Key**: PublicKeyA
- **Preshared Key**: PSKB
- **Allowed IPs**: `0.0.0.0/0`
- **Endpoint Address**: IP A
- **Endpoint Port**: 51820
- **Instances**: VPS_instance
- **Keepalive Interval**: 25

I have also added a Wireguard Interface with the following configuration.

- **Name**: VPS_interface
- **Enabled**: Checked
- **Instance**: 1
- **Public Key**: PublicKeyB
- **Private Key**: PrivateKeyB
- **Listen Port**: 51820
- **Tunnel Address**: `10.0.0.2/24`
- **Depend on (CARP)**: None
- **Peers**: VPS_peer
- **Disable Routes**: Unchecked

And I have Wireguard enabled.

### Interface Configuration

I have added a new interface called `WAN_wireguard` with the following configuration.

- **Enabled**: Checked
- **Lock**: Unchecked
- **Identifier**: opt1
- **Device**: wg1
- **Block private networks**: Unchecked
- **Block bogon networks**: Unchecked
- **IPv4 Configuration Type**: None
- **IPv6 Configuration Type**: None
- **Mac Address**: Empty
- **Peomiscuous Mode**: Unchecked
- **MTU**: Empty
- **MSS**: Empty
- **Dynamic Gateway Policy**: Unchecked

### Firewall Configuration

I created a WAN rule following [this step of the site-site guide](https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html#step-5-allow-traffic-between-site-a-lan-net-and-site-b-lan-net)
- **Action**: Pass
- **Disabled**: Unchecked
- **Quick**: Checked
- **Interface**: WAN
- **Direction**: In
- **TCP/IP Version**: IPv4
- **Protocol**: UDP
- **Source**: Single host or Network `IP A`
- **Destination**: WAN Address
- **Destination Port Range**: From `51820` to `51820`
- **Gateway**: Default