bind wireguard to a dedicated interface

[daudo]

My network configuration is somewhat unusual, as my WAN side is actually a private network, while my LAN side is a publicly routable /24 network.

In simplified terms, the data flow looks as follows:

Internet -> public IP@dedicated hardware router -> private network for CARP@OPNsense -> public /24 network

To allow various infrastructure devices to access the Internet, the dedicated hardware router has been configured to perform simple NAT functions for the CARP network only.

When I initiate a Wireguard connection from OPNsense, the connection is established via the CARP address of OPNsense and then routed to the dedicated router, which takes over the NAT functions. Although this works technically, it is not a practical option because the hardware router cannot handle the amount of data in terms of both bandwidth and connections that will pass over wireguard.

Instead, I would like Wireguard to initiate the connection via the OPNsense LAN address. This way, no NAT takes place at the router because the packets are only routed.

Does anyone have any idea how this can be achieved?

[slykens]

It can't.

I asked about this a year ago and while it seems the ability to bind Wireguard to an interface is present in the kernel in FreeBSD 14, the functionality doesn't exist in OPNsense for it.

In my use case, I switched to IPsec and while it has its own difficulty in configuration in OPNsense, has been quite reliable for the desired purpose.

[daudo]

thanks, I was afraid so. IPSec is no option for me, unfortunately.

What I did instead was to implement a very dirty outbound NAT rule that would force the required IP address for connections to my remote WG peer ... In the end it's just one connection to do NAT, so I have some hope that this won't be too bad on system load. This isn't in production yet, so hopefully this works out until this can be done properly in OPNsense.