How to do a 'NON-KILL' switch on WireGuard VPN?

Started by gspannu, February 26, 2025, 03:08:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 26, 2025, 03:08:14 PM Last Edit: February 26, 2025, 03:25:11 PM by gspannu
Query is about building a 'NON-KILL' switch.

There are plenty of guides suggesting how to build a 'Kill-Switch' - but what I am after is a 'Non-Kill' switch.

Essentially, if the WG VPN tunnel goes down (for whatever reason), I want OPNsense hosts to start using the default 'WAN' tunnel for traffic.

I know that it is a slightly weird situation - but with family/wife/kids .... it is important that internet traffic continues without interruption.


My setup:
- I have a 3rd party VPN (let's say an external hosted VPS or NordVPN or Surfshark).
- I wish to have some specific OPNsense clients go through the WG VPN tunnel.

Actions followed:
- I used the OPNsense documentation for selective routing. The 'WireGuard Selective Routing to External VPN Endpoint' document for IPv4.
- I followed it down to a tee (barring the kill switch listed in Step 11)
- Setup all firewall rules, everything as per documentation.

Everything works as expected 👍, as in the specific hosts now connect through the VPN tunnel and traffic is routed through WG tunnel as expected. All good so far.


Q: However, if this WG tunnel was to drop (or the Gateway monitoring showing 100% loss) - I would like the same hosts to start using the default 'WAN' gateway. Currently, these hosts cannot access the internet at all.


Anyone can help how to do this?
February 27, 2025, 06:20:47 PM #1
@meyers @franco @others

Any ideas...
Print
Go Up Pages1
User actions