Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forcing WG to use an specific WAN interface to build the tunnel

    Scheduled Pinned Locked Moved
    WireGuard
    1
    2
    732
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mikee
      last edited by mikee

      Hi all. I need your help.

      I have a device with two WAN connections. I need to build two WG tunnels, one over each interface, to a common remote destination. For this I have the standard configuration with dedicated interface and gateway for each of the tunnels.

      The general default gateway of the device is 'WAN' and the first WG tunnel uses it to build the connection with the remote. So far, so good. I need a way to tell the second WG tunnel to use the other interface 'WAN2' to build theirs.

      I have tried to force it by setting WAN2 as the gateway in the firewall rule (of course first configuring WG to not use the generic group in the Settings section of the plugin in VPN->WireGuard->Settings:interface group membership->none and setting a different gateway in the correspondent FW rules).

      So far this does not work and both tunnels are using the same interface 'WAN' to build their connections. You can see, in the remote end, that both tunnels are comming from the same public IP address.

      Is there any mechanism to achieve that?

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • M
        mikee
        last edited by

        Well. I reply myself.

        As @cmcdonald (developer of the wireguard package so someone to listen to) says in a reply to another post (https://forum.netgate.com/topic/164360/wireguard-site-to-site-issues/13):

        The only way to force WireGuard out a particular interface currently is to create a static host route (i.e. a /32 or /128 route pointing at the remote WireGuard peer endpoint IP) out a particular gateway.

        I stick my hope on the word 'currently': Even this being the actual state of the product it would be great if there were some way to manually bind a WG VPN to a given interface. There are cases where setting up a route to achieve that automatic binding is not possible (like my case where the remote endpoint is the same for both tunnels). This is already allowed both in openVPN and IPSec VPNs so it should also be a good thing that WG also had the option.

        So I beg the developers, if they are monitoring this forum, to add this GREAT enhancement to an other way outstanding product.

        Thanks for your time and effort.

        1 Reply Last reply Reply Quote 0
        • T thiasaef referenced this topic on
        • First post
          Last post