Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specify outgoing interface for wireguard tunnel

    Scheduled Pinned Locked Moved WireGuard
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddbnj
      last edited by ddbnj

      I have a multiwan setup with a backup LTE modem. Currently I am using openvpn for the backup site to site tunnel since I can specify the outgoing tunnel interface.

      Can wireguard be configured to initiate a tunnel over a specific interface as well?

      Thanks,

      Devan

      cmcdonaldC 1 Reply Last reply Reply Quote 0
      • cmcdonaldC
        cmcdonald Netgate Developer @ddbnj
        last edited by

        @ddbnj One possible solution:

        • Create a static route (/32 for IPv4 endpoints or /128 for IPv6). This is a "host" route, because it is scoped to a single address (/32 or /128). So basically you're telling pfSense, "hey if you need to reach endpoint 178.43.2.4, only use WANGW".

        791cce6a-2bcd-41f3-b4dc-b1645448b1ad-image.png

        Need help fast? https://www.netgate.com/support

        D E 4 Replies Last reply Reply Quote 1
        • D
          ddbnj @cmcdonald
          last edited by

          @cmcdonald That is cool idea I will try this weekend.

          1 Reply Last reply Reply Quote 1
          • D
            ddbnj @cmcdonald
            last edited by ddbnj

            @cmcdonald

            Well, I couldn't wait.

            My setup threw a few wrenches into the concept. The endpoint for the tunnel is dynamic and is updated via DNS.

            When making a static route, it would not accept a FQDN.

            The workaround involved a few steps.

            At the target end, create a new FQDN specific for the Wireguard connection over LTE. Set up DDNS on pfsense to keep it up to date.

            On LTE modem side
            create usual Wireguard tunnel and peer using new LTE specific domain name.

            On LTE modem side, create a firewall alias (to be used in static route) pointing to new LTE FQDN

            Finally on LTE modem site, create a static route to alias using LTE gateway.

            This way, my FIOS wireguard tunnel uses the normal WAN since it's FQDN endpoint is different that the LTE wireguard tunnel FDQN.

            (Edit: I don't think this works)

            D 1 Reply Last reply Reply Quote 0
            • D
              ddbnj @ddbnj
              last edited by

              @ddbnj

              Yea, I don't think it's working.

              The routing alias translates the DNS result and routes all traffic (as it should) out the WAN gateway. As long as the IP endpoints are the same, I can't make a route specific for the outgoing requests just for LTE.

              1 Reply Last reply Reply Quote 0
              • D
                ddbnj @cmcdonald
                last edited by

                @cmcdonald

                Since my outgoing WG peer on FIOS has the same destination IP as my outgoing Wireguard peer on LTE, the route solution above doesn't work. I'm not getting any states on the LTE interface. I was fooled, I think by ICMP redirects which made it seem all gateways were up.

                1 Reply Last reply Reply Quote 0
                • E
                  ensnare @cmcdonald
                  last edited by

                  @cmcdonald Wireguard ignores my static routes, even after a reboot. It seems to always use the default route. Might be a bug? Btw, thanks for your work with Wireguard.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.