[Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup)

philjoyal

firts off, Great tutorial!

Now for the issue I have. When the default gateway is set to wireguard tunnel interface, I can't access my LAN. I cam't seem to figure out the firewall rules (assuming it blocks the connection). Not much on the logs either.

Do you have any idea of whats is going on?

philjoyal

@philjoyal this is the tutorial I have follow for my lan access.
https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

LaUs3r

Hi @philjoyal,

fist of all, your scenario is a different one as described here in this tutorial!

this tutorial: pfSense acts as Wireguard CLIENT that connects to the Wireguard SERVER of the VPN provider

your scenarion: pfSense acts as Wireguard SERVER to which you can connect with Wireguard clients (for example, on your smartphone).

In order for your Wireguard clients to be able to access the LAN, you need to define firewall rules to allow traffic from the incoming Wireguard peers (10.200.0.5/24) to your LAN.
In the tutorial you used, the Wireguard interface is called "WG_VPN". You will find in Firewall > Rules the same name. Here you need to allow "WG_VPN subnets" (source) to your LAN (destination).

philjoyal

@LaUs3r thank you for your reply. In fact my pfsense should be a client and a server. Client for vpn provider and server for my client to access my lan. My pfsense have 2 wireguard tunnels (on different port and different vinterface): client and server. My clients can connect to my lan (if wan is set as default gateway-->routing) and pfsense can connect as client for my vpn provider (default gateway set to vpn_provider) but not at the same time. my clients cant connect to lan tunnel if pfsense is connected as a client for vpn_provider.

LaUs3r

@philjoyal, do you allow NAT Outbound traffic for your Wireguard Client addresses via the Wireguard Gateway?

In Firewall > NAT > outbound you should have something like:

Interface................Source..................NAT Address
WG_VPN............10.200.0.5/24...............WG_VPN

Can you maybe post a picture of your NAT Outbound rules?

philjoyal

@LaUs3r here are some screenshos:

Screenshot from 2025-02-10 17-13-051.png

Screenshot from 2025-02-10 17-13-551.png

Screenshot from 2025-02-10 17-14-511.png

philjoyal

This post is deleted!

LaUs3r

You probably need to add a static route for your WireGuard Remote Clients VPN subnet (10.200.0.5) to use the WireGuard ISP VPN (WG_VPN)

philjoyal

@LaUs3r
Screenshot from 2025-02-10 17-27-531.png

Screenshot from 2025-02-10 17-28-041.png

philjoyal

@LaUs3r Doesn't seems to work either

LaUs3r

@philjoyal but that's not showing a static route. You need to add one in the routing tab.
Check out this guide: https://jarrodstech.net/fix-pfsense-remote-wireguard-vpn-clients-access-to-wireguard-site-to-site-vpn/

philjoyal

@LaUs3r the static route is shown in the 3rd screenshot

Gammon

I found this guide years ago. This was back before there were any pfsense VPN guides on the internet. The site has since gone down, but is still on the WayBackMachine. There is a brief explanation of the Wireguard MTU and MSS and how they relate to each other.

DevinMadeThat - Guide: Adding Proton VPN with WireGuard to pfSense

Excerpt:

MTU: 1420
Maximum Transmission Unit: Because of WireGuard's overhead, you want to set it for 1420
MSS: 1420
Maximum Segment Size: You want this clamped to 1380, but it's calculated minus 40 (for 40 bytes of v4 header) from whatever you type here. So you want to enter 1420 (1420-40=1380)