• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup)

Scheduled Pinned Locked Moved WireGuard
14 Posts 3 Posters 5.3k Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    philjoyal
    last edited by Feb 9, 2025, 8:10 PM

    firts off, Great tutorial!

    Now for the issue I have. When the default gateway is set to wireguard tunnel interface, I can't access my LAN. I cam't seem to figure out the firewall rules (assuming it blocks the connection). Not much on the logs either.

    Do you have any idea of whats is going on?

    P 1 Reply Last reply Feb 9, 2025, 8:13 PM Reply Quote 0
    • P Offline
      philjoyal @philjoyal
      last edited by Feb 9, 2025, 8:13 PM

      @philjoyal this is the tutorial I have follow for my lan access.
      https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

      L 1 Reply Last reply Feb 10, 2025, 12:51 PM Reply Quote 0
      • L Offline
        LaUs3r @philjoyal
        last edited by LaUs3r Feb 10, 2025, 12:51 PM Feb 10, 2025, 12:51 PM

        Hi @philjoyal,

        fist of all, your scenario is a different one as described here in this tutorial!

        this tutorial: pfSense acts as Wireguard CLIENT that connects to the Wireguard SERVER of the VPN provider

        your scenarion: pfSense acts as Wireguard SERVER to which you can connect with Wireguard clients (for example, on your smartphone).

        In order for your Wireguard clients to be able to access the LAN, you need to define firewall rules to allow traffic from the incoming Wireguard peers (10.200.0.5/24) to your LAN.
        In the tutorial you used, the Wireguard interface is called "WG_VPN". You will find in Firewall > Rules the same name. Here you need to allow "WG_VPN subnets" (source) to your LAN (destination).

        P 1 Reply Last reply Feb 10, 2025, 2:00 PM Reply Quote 0
        • P Offline
          philjoyal @LaUs3r
          last edited by Feb 10, 2025, 2:00 PM

          @LaUs3r thank you for your reply. In fact my pfsense should be a client and a server. Client for vpn provider and server for my client to access my lan. My pfsense have 2 wireguard tunnels (on different port and different vinterface): client and server. My clients can connect to my lan (if wan is set as default gateway-->routing) and pfsense can connect as client for my vpn provider (default gateway set to vpn_provider) but not at the same time. my clients cant connect to lan tunnel if pfsense is connected as a client for vpn_provider.

          L 1 Reply Last reply Feb 10, 2025, 4:38 PM Reply Quote 0
          • L Offline
            LaUs3r @philjoyal
            last edited by Feb 10, 2025, 4:38 PM

            @philjoyal, do you allow NAT Outbound traffic for your Wireguard Client addresses via the Wireguard Gateway?

            In Firewall > NAT > outbound you should have something like:

            Interface................Source..................NAT Address
            WG_VPN............10.200.0.5/24...............WG_VPN

            Can you maybe post a picture of your NAT Outbound rules?

            P 3 Replies Last reply Feb 10, 2025, 11:54 PM Reply Quote 0
            • P Offline
              philjoyal @LaUs3r
              last edited by Feb 10, 2025, 11:54 PM

              @LaUs3r here are some screenshos:

              Screenshot from 2025-02-10 17-13-051.png

              Screenshot from 2025-02-10 17-13-551.png

              Screenshot from 2025-02-10 17-14-511.png

              L 1 Reply Last reply Feb 11, 2025, 4:13 PM Reply Quote 0
              • P Offline
                philjoyal @LaUs3r
                last edited by Feb 10, 2025, 11:56 PM

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • L Offline
                  LaUs3r @philjoyal
                  last edited by Feb 11, 2025, 4:13 PM

                  You probably need to add a static route for your WireGuard Remote Clients VPN subnet (10.200.0.5) to use the WireGuard ISP VPN (WG_VPN)

                  P 1 Reply Last reply Feb 11, 2025, 9:43 PM Reply Quote 0
                  • P Offline
                    philjoyal @LaUs3r
                    last edited by philjoyal Feb 11, 2025, 9:36 PM Feb 11, 2025, 9:35 PM

                    @LaUs3r
                    Screenshot from 2025-02-10 17-27-531.png

                    Screenshot from 2025-02-10 17-28-041.png

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      philjoyal @LaUs3r
                      last edited by Feb 11, 2025, 9:43 PM

                      @LaUs3r Doesn't seems to work either

                      L 1 Reply Last reply Feb 12, 2025, 6:29 AM Reply Quote 0
                      • L Offline
                        LaUs3r @philjoyal
                        last edited by Feb 12, 2025, 6:29 AM

                        @philjoyal but that's not showing a static route. You need to add one in the routing tab.
                        Check out this guide: https://jarrodstech.net/fix-pfsense-remote-wireguard-vpn-clients-access-to-wireguard-site-to-site-vpn/

                        P 1 Reply Last reply Feb 12, 2025, 1:53 PM Reply Quote 0
                        • P Offline
                          philjoyal @LaUs3r
                          last edited by Feb 12, 2025, 1:53 PM

                          @LaUs3r the static route is shown in the 3rd screenshot

                          1 Reply Last reply Reply Quote 0
                          • P philjoyal referenced this topic on Feb 12, 2025, 9:42 PM
                          • G Offline
                            Gammon
                            last edited by Apr 10, 2025, 6:21 AM

                            I found this guide years ago. This was back before there were any pfsense VPN guides on the internet. The site has since gone down, but is still on the WayBackMachine. There is a brief explanation of the Wireguard MTU and MSS and how they relate to each other.

                            DevinMadeThat - Guide: Adding Proton VPN with WireGuard to pfSense

                            Excerpt:

                            • MTU: 1420
                              Maximum Transmission Unit: Because of WireGuard's overhead, you want to set it for 1420
                            • MSS: 1420
                              Maximum Segment Size: You want this clamped to 1380, but it's calculated minus 40 (for 40 bytes of v4 header) from whatever you type here. So you want to enter 1420 (1420-40=1380)
                            1 Reply Last reply Reply Quote 0
                            14 out of 14
                            • First post
                              14/14
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received