Incoming Wireguard mapping to outgoing OpenVPN
-
Hi.
I have WireGuard configured on pfsense so I can connect to my internal network from the outside world. Works fine.
I also have OpenVPN client configured in pfsense so that my internal connections connect to a VPN. Works fine from internal connections.
What I'm trying to do now is have all incoming IP's dialed into to WireGuard to also go through this OpenVPN client when going outbound from my internal network.
My DHCP server assigns 10.10.1.1 to all internal connected devices and he incoming WireGuard connections are assigned to 10.10.2.1.
I tried to make a NAT mapping but didn't work.
Thanks!
-
You need to either set the firewall default route to the OpenVPN gateway or set a policy routing rule on the incoming traffic over WG via the OpenVPN gateway. The latter is less disruptive to anything else.
Steve
-
Stop thinking about VPNs and start thinking about IP links. Routing is routing and it doesn't matter how you get there. You just have to ensure you have the routes to get from point A to point B and back.
-
@stephenw10 Thanks for the suggestions. Was honestly confused about how to do this then I found a useful page to learn more. I got the second option doing what I wanted! I went to the default WG pass rule and then edited it and found "extra options" then was able to set the default gateway to OpenVPN.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html
Thanks again!
-
@JKnott Right, I get what you are saying, I'm learning a ton about firewall routing. I was able to solve my problem with help from @stephenw10 and the following link.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html
-
@stephenw10 Spoke too soon. I am getting the proper routing from incoming to outgoing traffic but now I am unable to access the local IP's of my LAN network. Hmmm. Been playing around and testing rules all morning. Any advice would be helpful. I know its right in front of me just can't see it.
To be clear, I dial into my pfsense wireguard server in the 10.10.2.1 subnet. My local LAN is 10.10.1.1
With the recent changes im able to dial into my wireguard server and obtain a 10.10.2.x IP address, the traffic now exits through the OpenVPN gateway and gives me the correct outgoing IP address. Prior to making this change i was able to access devices on the LAN network 10.10.1.1 but now they are not accessible. -
You need a pass rule, without a gateway set, on the wireguard interface above the policy routing rule for local destinations. Otherwise all traffic gets caught by the policy routing rule and forced via the OpenVPN gateway.
-
You're awesome @stephenw10.
I was able to add a rule above my other rule to pass all to my LAN subnet first, and now it seems its all working as expected.
The learning curve for pfsense is steep (or just understanding firewalls, NAT's gateways, rules, etc in general).
Appreciate you holding my hand and helping me out!
