WireGuard: Avoid DNS entries on restart + Selective Routing to VPN

Started by jaj1105, July 04, 2025, 07:30:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2025, 07:30:52 PM Last Edit: July 04, 2025, 07:43:25 PM by jaj1105
Hi everyone,

I'm running WireGuard on Debian as a central server to connect two OPNsense sites and mobile clients.

Below is my current wg0.conf on the Debian server (I've replaced private details with placeholders):

[Interface]
Address = X.X.X.X/24
SaveConfig = true
PostUp = iptables -A INPUT -p udp --dport PPPP -j ACCEPT; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -s X.X.X.X/24 -o eth0 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport PPPP -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -s X.X.X.X/24 -o eth0 -j MASQUERADE
ListenPort = PPPP
PrivateKey =

First Question: Prevent DNS lines from being saved automatically

Every time I bring the interface down with wg-quick down wg0, it rewrites the wg0.conf file and appends DNS entries. Over time, this has added multiple redundant DNS = ... lines.

How can I configure this to stop WireGuard (wg-quick) from modifying my wg0.conf at all, and avoid these repeated DNS entries on every restart?

I do want to keep my PostUp/PostDown iptables rules, but I don't want DNS lines to be added automatically.



Second question : Policy-based Routing for outbound traffic via Mullvad (wg1)


I also want to set up a second WireGuard interface on this Debian server (let's say wg1) that connects to Mullvad or another VPN provider.

My goal is:

✅ Have all outbound Internet traffic from connected clients (OPNsense sites + mobile devices) go through wg1 (Mullvad).
✅ Except for SMTP (port 25) which should always go out via the normal WAN (eth0) directly (because Mullvad blocks port 25).

I want to implement this policy routing on Debian itself (not on the OPNsense clients).

Could anyone advise on how to:

Set up the necessary ip rule / ip route entries?

Mark or match traffic from wg0, except for port 25?

Ensure port 25 is routed via eth0 while all other traffic uses wg1?

I'm looking for practical guidance, best practices or examples of iptables/ip rule setups for this scenario.

Thanks in advance for any help or suggestions!

Best regards
July 05, 2025, 05:59:51 PM #1
OPNsense does not run on Debian and I doubt you will find much help here. Better contact the Debian or WireGuard Community.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions