• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Is there any way pfsense can connect as a client for a VPN providers and a server for remote LAN access on different tunnels simultaneously?

Scheduled Pinned Locked Moved WireGuard
7 Posts 2 Posters 417 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    philjoyal
    last edited by Feb 12, 2025, 9:42 PM

    I have followed this tutorial for pfsense as a client : https://forum.netgate.com/topic/196006/guide-setup-a-wireguard-tunnel-to-vpn-provider-multiple-vpn-tunnel-setup

    and this one for the pfsense server for remote LAN access : https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

    for some reasons I can't connect to remote LAN when my pfsense is connected to the VPN provider.

    L 1 Reply Last reply Feb 13, 2025, 7:05 AM Reply Quote 0
    • L
      LaUs3r @philjoyal
      last edited by LaUs3r Feb 13, 2025, 7:09 AM Feb 13, 2025, 7:05 AM

      Hi @philjoyal, I set up yesterday a Wireguard Server on my pfSense and successfully connected a Wireguard client (Android) to it. The client is able to reach the LAN and Internet via the pfSense.
      The pfSense itself connects via Wireguard to a VPN provider.

      My assumptions for your issues are:

      1. Missing firewall rules for the Wireguard SERVER interface on your pfSense
      2. NAT outbound rules

      The static route I mentioned in the other thread is NOT relevant.

      Now, regarding the settings. When I refer now to the Wireguard tunnel, it's always the tunnel with the Wireguard Server on your pfSense and your clients. My Wireguard client network is 10.100.0.1/24.

      1. Firewall rules:
        When you create the Wireguard tunnel, you 'll get a new network port. You will need to assign this new network port to a new interface (Interface > Interface Assignments) in order to be able to define firewall rules afterwards.

      In my case, the new created network port is tun_wg2.

      6db465a0-477d-4fa4-953b-e46fe9545ea6-image.png

      I renamed the interface from OPT9 to WireguardServer and specified the IPv4 settings I used for the clients of the Wireguard tunnel:

      143a6493-2ba8-48c0-a72e-f43f1e86fe5a-image.png

      ! I disabled the DHCP server for this interface !

      Now, the firewall rules need to be defined for that interface in order to allow traffic from the Wireguard clients.
      When you go to Firewall > Rules, you will realize that there is a the interface. In my case: WIREGUARDSERVER

      fc402b61-6db5-4793-807e-7a0eb2b17d8f-image.png

      For the sake of simplicity, I'll allow all traffic for now.

      1. Outbound NAT
        Here you need to ensure that the Wireguard clients (10.100.0.0/24) are allowed for outbound traffic via the Wireguard VPN tunnel to your VPN provider.

      7f45be8f-9195-4345-b53e-15bf486a17b4-image.png

      This should do the trick with your config.
      My clients can connect now to my pfSense via Wireguard and connect to my LAN and to the internet. When I check the public IP of my Wireguard clients then the public IP of the VPN provider is shown. So everything works fine

      P 1 Reply Last reply Feb 14, 2025, 1:03 AM Reply Quote 0
      • P
        philjoyal @LaUs3r
        last edited by philjoyal Feb 14, 2025, 1:04 AM Feb 14, 2025, 1:03 AM

        @LaUs3r For some weird reasons everything works fine now. Rechecked and tried all your inputs and didn't work. So I've set back to my originals settings it still didn't work but then after a few minutes everything was working fine. Did a reboot to check and everything is fine now. I'll have o investigate this more. Thank you for all your time and help!!!

        cheersScreenshot from 2025-02-13 19-58-0311.png

        L 1 Reply Last reply Feb 14, 2025, 7:09 AM Reply Quote 0
        • L
          LaUs3r @philjoyal
          last edited by Feb 14, 2025, 7:09 AM

          @philjoyal , good to read. let's hope it stays that way 😄

          P 1 Reply Last reply Feb 14, 2025, 1:43 PM Reply Quote 0
          • P
            philjoyal @LaUs3r
            last edited by Feb 14, 2025, 1:43 PM

            @LaUs3r well I've been playing a bit and found out my current configuration is half working as it should. First I have to let the WAN as the default gateway (opposite of what you configured in your guide) and second problem is that my client doesn't have internet access (bad) when connected to the LAN but have full access to machine on the LAN (good). I'll keep looking into that.

            L 1 Reply Last reply Feb 14, 2025, 1:54 PM Reply Quote 0
            • L
              LaUs3r @philjoyal
              last edited by Feb 14, 2025, 1:54 PM

              After I did setup my pfSense Wireguard server, my Wireguard clients had no access to LAN and Internet too.
              But: I could see the blocking of the traffic in the logs which is completely normal as no firewall rule was defined for the Wireguard interface, i.e. all my 10.100.0.1/24 was blocked.

              That's why it's so important that you assign the interface and define the rule.

              If you want, re-post all of your settings (tunnel, interface assignments, outbound nat, firewall rules, etc.).
              Probably it would be best not to redact much of the information (IPs yes, but names should be ok)

              P 1 Reply Last reply Feb 14, 2025, 2:14 PM Reply Quote 0
              • P
                philjoyal @LaUs3r
                last edited by Feb 14, 2025, 2:14 PM

                @LaUs3r When
                I check logs (status > system logs > firewall) and see nothing relevant. I edit names and all personnal info (giving names can lead to security breach. in my opinion)

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received