• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Guide] Setup a wireguard tunnel to VPN provider (multiple VPN tunnel setup)

WireGuard
3
14
2.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LaUs3r @philjoyal
    last edited by LaUs3r Feb 10, 2025, 12:51 PM Feb 10, 2025, 12:51 PM

    Hi @philjoyal,

    fist of all, your scenario is a different one as described here in this tutorial!

    this tutorial: pfSense acts as Wireguard CLIENT that connects to the Wireguard SERVER of the VPN provider

    your scenarion: pfSense acts as Wireguard SERVER to which you can connect with Wireguard clients (for example, on your smartphone).

    In order for your Wireguard clients to be able to access the LAN, you need to define firewall rules to allow traffic from the incoming Wireguard peers (10.200.0.5/24) to your LAN.
    In the tutorial you used, the Wireguard interface is called "WG_VPN". You will find in Firewall > Rules the same name. Here you need to allow "WG_VPN subnets" (source) to your LAN (destination).

    P 1 Reply Last reply Feb 10, 2025, 2:00 PM Reply Quote 0
    • P
      philjoyal @LaUs3r
      last edited by Feb 10, 2025, 2:00 PM

      @LaUs3r thank you for your reply. In fact my pfsense should be a client and a server. Client for vpn provider and server for my client to access my lan. My pfsense have 2 wireguard tunnels (on different port and different vinterface): client and server. My clients can connect to my lan (if wan is set as default gateway-->routing) and pfsense can connect as client for my vpn provider (default gateway set to vpn_provider) but not at the same time. my clients cant connect to lan tunnel if pfsense is connected as a client for vpn_provider.

      L 1 Reply Last reply Feb 10, 2025, 4:38 PM Reply Quote 0
      • L
        LaUs3r @philjoyal
        last edited by Feb 10, 2025, 4:38 PM

        @philjoyal, do you allow NAT Outbound traffic for your Wireguard Client addresses via the Wireguard Gateway?

        In Firewall > NAT > outbound you should have something like:

        Interface................Source..................NAT Address
        WG_VPN............10.200.0.5/24...............WG_VPN

        Can you maybe post a picture of your NAT Outbound rules?

        P 3 Replies Last reply Feb 10, 2025, 11:54 PM Reply Quote 0
        • P
          philjoyal @LaUs3r
          last edited by Feb 10, 2025, 11:54 PM

          @LaUs3r here are some screenshos:

          🔒 Log in to view

          🔒 Log in to view

          🔒 Log in to view

          L 1 Reply Last reply Feb 11, 2025, 4:13 PM Reply Quote 0
          • P
            philjoyal @LaUs3r
            last edited by Feb 10, 2025, 11:56 PM

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • L
              LaUs3r @philjoyal
              last edited by Feb 11, 2025, 4:13 PM

              You probably need to add a static route for your WireGuard Remote Clients VPN subnet (10.200.0.5) to use the WireGuard ISP VPN (WG_VPN)

              P 1 Reply Last reply Feb 11, 2025, 9:43 PM Reply Quote 0
              • P
                philjoyal @LaUs3r
                last edited by philjoyal Feb 11, 2025, 9:36 PM Feb 11, 2025, 9:35 PM

                @LaUs3r
                🔒 Log in to view

                🔒 Log in to view

                1 Reply Last reply Reply Quote 0
                • P
                  philjoyal @LaUs3r
                  last edited by Feb 11, 2025, 9:43 PM

                  @LaUs3r Doesn't seems to work either

                  L 1 Reply Last reply Feb 12, 2025, 6:29 AM Reply Quote 0
                  • L
                    LaUs3r @philjoyal
                    last edited by Feb 12, 2025, 6:29 AM

                    @philjoyal but that's not showing a static route. You need to add one in the routing tab.
                    Check out this guide: https://jarrodstech.net/fix-pfsense-remote-wireguard-vpn-clients-access-to-wireguard-site-to-site-vpn/

                    P 1 Reply Last reply Feb 12, 2025, 1:53 PM Reply Quote 0
                    • P
                      philjoyal @LaUs3r
                      last edited by Feb 12, 2025, 1:53 PM

                      @LaUs3r the static route is shown in the 3rd screenshot

                      1 Reply Last reply Reply Quote 0
                      • P philjoyal referenced this topic on Feb 12, 2025, 9:42 PM
                      • G
                        Gammon
                        last edited by Apr 10, 2025, 6:21 AM

                        I found this guide years ago. This was back before there were any pfsense VPN guides on the internet. The site has since gone down, but is still on the WayBackMachine. There is a brief explanation of the Wireguard MTU and MSS and how they relate to each other.

                        DevinMadeThat - Guide: Adding Proton VPN with WireGuard to pfSense

                        Excerpt:

                        • MTU: 1420
                          Maximum Transmission Unit: Because of WireGuard's overhead, you want to set it for 1420
                        • MSS: 1420
                          Maximum Segment Size: You want this clamped to 1380, but it's calculated minus 40 (for 40 bytes of v4 header) from whatever you type here. So you want to enter 1420 (1420-40=1380)
                        1 Reply Last reply Reply Quote 0
                        13 out of 14
                        • First post
                          13/14
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.