Force Vlan to Wiregard tunnel

Gerry26500 · Jun 19, 2022, 2:11 AM

Hi there,
I started to use Wiregard (vs OpenVpn) and I am facing an issue.
I am trying to force one specific vlan to use the WG tunnel.
So first , I configured WG and have my tunnel up
login-to-view

I also created an interface for my vlan 60 (called VPN, 10.10.60.0/24)

login-to-view

I also have my WG interface created with the IP provided by the VPN provider

login-to-view

and last I have the outbound rule that forces 10.10.60.0/24 to the WG interface

login-to-view

Somehow , that doesn;t work. I do have connectivity , but not through the tunnel.

I checked the forum and some people are saying I should just change the gateway under Vlan 60 :
login-to-view

, if I do that , I lose all connectivity on vlan 60.

What am I missing here ?!
Thanks in advance!

Jarhead · Jun 19, 2022, 2:02 PM

@gerry26500 First thing I notice is you redacted the tunnel assignment, but then you show the WG interface. So there should be no reason to redact the assignment.
It should be the WGInterface. Is it?

Second, you have an upstream gateway assigned to that interface, are you sure you want that?

Third, shouldn't need the outbound NAT at all.

Create a gateway pointing to the other end of the tunnel, then use that gateway for the 10.1.60.0 with that gateway.

Gerry26500 · Jun 19, 2022, 2:09 PM

@jarhead Hey , Thanks for the reply
Yes the local address of the tunnel is 10.2.0.2 (I meant to mask the other IP)
So regarding the upstream gateway , to be honest I am not sure. My VPN provider doesn;t have a tuto regarding WG so I grabbed the info from a random post on the internt.
I will remove the outbound NAT , thanks
..OH , so what you mean it , the upstream gateway I created for the interface should be on the vlan 60 interface ? or do you mean something else?
I can't see any other field where I can chose a gateway for a subnet / Vlan
Let me give it a try
Thanks !

Edit :
If it helps , here is the tuto I followed :
https://www.ivpn.net/setup/router/pfsense-wireguard/

(but this applies to the entire router and would like to have only one subnet going through that tunnel )

Jarhead · Jun 19, 2022, 4:52 PM

@gerry26500 said in Force Vlan to Wiregard tunnel:

@jarhead Hey , Thanks for the reply
Yes the local address of the tunnel is 10.2.0.2 (I meant to mask the other IP)
So regarding the upstream gateway , to be honest I am not sure. My VPN provider doesn;t have a tuto regarding WG so I grabbed the info from a random post on the internt.
I will remove the outbound NAT , thanks
..OH , so what you mean it , the upstream gateway I created for the interface should be on the vlan 60 interface ? or do you mean something else?
I can't see any other field where I can chose a gateway for a subnet / Vlan
Let me give it a try
Thanks !

Edit :
If it helps , here is the tuto I followed :
https://www.ivpn.net/setup/router/pfsense-wireguard/

(but this applies to the entire router and would like to have only one subnet going through that tunnel )

No, what I meant was the tunel assignment should be the interface itself.
login-to-view

You assigned the IP to the interface for a reason, set the interface as the tunnel assignment.

Upstream gateway, not sure what you're doing with the vpn conection but setting an upstream gateway makes the interface a wan essentially. Read the text below that option. Is that what you want?
To force the traffic through the VPN, create a new gateway, then on the allow all firewall rule for vlan60, click advanced, then set the new gateway as it's gateway.
You should also not have "automatic" set for the default gateway when you create the new gateway, set it to your actual gateway instead.

Keep in mind, I haven't tried this with WireGuard but it's how you would force traffic with OpenVPN.

Although if it doesn't work, try adding the outbound NAT again. Might need that but I would think that would be handled on the VPN providers end. WireGuard does need help routing though it seems.

Gerry26500 · Jun 19, 2022, 5:30 PM

@jarhead
Oh man , you're awesome !!!
I did have a mix up in the Int assignment. Somehow I was sure that it was assigned to the tunnel but for some reason it was assigned to an Igc interface :|
That said, it works now ! and I really appreciate your help.
So just for testing purposes, I tried with and without the outbound rule ..and without it , it doesn't work.

Cheers!

sgw · Apr 21, 2023, 5:00 AM

I am currently trying the same here, and I am scared to set "AllowedIPs" to 0.0.0.0, because I fear that this breaks the whole routing on the pfSense ...

Could someone advise here?

The pfSense currently runs the wg-tunnel with "AllowedIPs = 10.8.0.0/24" .. so only the tunnel network is routed through.

The goal is to be able to force one or more VLANs to use that tunnel as default gateway while other (V)LANs should simply use the plain default gateway defined in "Routing".

Maybe I am too scared ;-) but I am far from that box and don't want to lock me out etc. Thanks.

Bob.Dig · Apr 21, 2023, 9:11 AM

@sgw Just do it. Routing is done via pfSense not Wireguard.

sgw · Apr 21, 2023, 2:04 PM

@bob-dig will try as soon as I have my next telco with the customer. thanks ...

sgw · Apr 24, 2023, 5:42 AM

Seems to work ;-) thanks again @Bob-Dig