Wireguard is not routing any traffic
-
@gabacho4 said in Wireguard is not routing any traffic:
no that rule is for your network through the interface to the world
I'm still confused. I thought that rules are evaluated when they enter the interface. Traffic from LAN should not enter the Wireguard interface, but traffic from outside. Right?
-
@thisisme said in Wireguard is not routing any traffic:
Right?
Right, don't put any rule on that interface.
-
@bob-dig I found the problem I had to set the MSS on the wireguard interface, but I remain with another problem:
I can't route DNS through wireguard
If I select the the old OpenVPN interface the DNS resolver is working, but with the new Wireguard interface I can't resolve anything. Any idea? DNS is 9.9.9.9 -
@thisisme I am trying right now and for me it is also not working. It is new for them too, maybe they have problems on their side.
Will report here if this changes for me. -
Just to point it out: I don't had to add firewall rules to the Wireguard tab. This advice is WRONG and DANGEROUS
-
@thisisme Ping and DNS seem to be working for me. I didn't tested DNS within pfSense but just in a Windows VM. But I can't surf anything.
-
@bob-dig have you set the MSS on the Wireguard interface?
-
@thisisme No, I don't think it is a must anyways.
-
@bob-dig for me it don't work without it
-
@thisisme So which size should it be?
-
@bob-dig 1412 seems to work. Maybe you have to play a bit
-
Solved my DNS problem. Looks like wireguard is not adding any routes. I had to add a manual one for the DNS-Address and the gateway
-
Got it working too, thanks for the MTU hint!!
I went with 1420. Without it, it wasn't working.I didn't need any routes but my setup is different. Also no manual outbound NAT needed, see below.
For IP I went with /32 and changed the IP for the second tunnel myself.
-
Something to note when using Surfshark VPN on pfSense with WireGuard instead of OpenVPN.
You decide which IP will be used > no more overlapping IPs with different tunnels.
No good GUI support for changing the public IP of one tunnel, you have to restart the whole WireGuard service for all the tunnels to change IPs and it takes much longer for a new connection (but it is possible).
In my testing, speed was the same with my hardware.
-
@thisisme I noticed that the performance is lower with WG on ss, more loss etc. What is your experience so far?
-
@bob-dig I don't see any performance loss. Maybe even a little gain, but hard to say, because the last 15mbit to my full bandwidth are a bit unstable with Surfshark with both approaches.
-
@thisisme Probem for me it is packet loss, not the speed. I kinda remember that even in their own app, WG is working worse then OVPN, so I will switch back...
YGWYPF -
@bob-dig since 2 hours I have a lot of loss too. Since then it was always below 10%. I think the Surfshark servers are unstable or overloaded
-
@thisisme Back on OVPN, so much better. It was a short endeavor. I think their WG implementation is just bad, for years now.
-
@bob-dig packet loss with WG close to zero again for me
