Thanks for the nice drawing. I will try again and see if it will work.

@The-Party-of-Hell-No Hi, Thanks for your reply. Yes I've set the tunnel up with all NAT rules in place, following guides, to the point of routing all traffic via the tunnel. Just wasn't sure of the next steps and if a firewall rule would work. I'll give that a go and see if it works as I'd like.

@Bob-Dig said in WireGuard and ProtonVPN: Personally I wouldn't change my DNS-Servers to Proton but change the DNS-Server for some hosts only to always use external DNS, which will then go through the VPN for those hosts. Could you please, show example of firewall rule to pass DNS request via VPN fore some hosts?

i have to setup mss to 1280.

@The-Party-of-Hell-No Conversation I had with technician at Surf Shark about two WireGuard tunnels simultaneously: another question can I use the same tunnel and have multiple gateways(Peers) going to different surfshark servers through the same tunnel? Saul Buchanan 's avatar Not at the same time, but you can use the same tunnel with different peers, yes. Okay, can I create individual tunnels for each peer (Surfshark server) I wish to use as a gateways. I have done this using the openvpn protocol Saul Buchanan 's avatar Essentially yes. Isn't the problem generating keys for each tunnel? Saul Buchanan 's avatar Not really, as you can use the same private keys with multiple tunnels. I would just like to emphasize that multiple connections at a time from the same device will most likely encounter issues. [image: 1729791597775-untitled.jpg] The challenge I ran into was thinking the endpoint port (51820) had to match the tunnel port.. It cannot be changed - obviously it is set by SurfShark, but it means both tunnels share the same endpoint port. It seems to work: [image: 1729792262521-untitled2.jpg]

@Frosch1482 For starters change the interface to a /24. You have it as a /32.

@TeeNetGate1 Adding in more testing, from pfsense I can ping the endpoint IPv4 & v6. But still not handshake. I took a server I know works, from the 3100, but it does not work. I have added in an interface IP, which i can ping and this does not work. Do I have a lemon of a pfsense box?

@db858 Android: interface -> addresses is the client IP address for example 10.20.30.10/32 peer -> "allowed IP" is for the destinations to route over the WireGuard tunnel pfSense: Allowed IPs is the client IP address 10.20.30.10/32

@erdeed I asked the same question here: https://forum.netgate.com/topic/189938/bind-wireguard-tunnel-listener-to-a-specific-wan-ip?_=1726753285158 I'll watch your post too in case someone replies.