Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients behind WireGuard-connected travel router can't use personal VPNs

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 207 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jps229
      last edited by jps229

      Hi all,

      I'm running a pfSense 2.7.2 box with dual WAN and a WireGuard server. I use a GL.iNet AX1800 travel router (OpenWRT) to establish a WireGuard tunnel back to my home when traveling (hotel use case).

      The tunnel connects fine, clients behind the travel router get Internet — but only if they are not using their own VPN tunnel (e.g. each mobile phone can use the vpn-server on it's own too). If they keep theri VPN active (as we want), the connection breaks.

      Goal

      • Devices should always have personal VPNs enabled, even in hotel Wi-Fi.
      • When behind the travel router's Wi-Fi, everything should "just work" — no toggling VPNs, no manual settings.
      • At home this works seamlessly (ISP/Wi-Fi/personal VPN = all fine), but not behind the travel router.

      Setup Summary

      Home pfSense setup:

      • WAN1 (ISP-A)
      • WAN2 (ISP-B)
      • Manual Outbound NAT
      • WireGuard Server (e.g. wg_server_home with subnet 172.18.0.0/24)
      • Clients behind travel router get IPs like 172.18.0.2–6

      Travel router (OpenWRT):

      • WireGuard client to home
      • IP: 172.18.0.6
      • LAN: 192.168.8.0/24
      • Masquerading enabled on VPN zone

      What works

      • Travel router successfully connects to pfSense VPN.
      • Clients behind the router get internet if personal VPNs are OFF.

      What fails

      • Devices with VPN enabled fail to connect (no DNS, no traffic).
      • VPN handshake succeeds, but traffic is dropped.
      • Once personal VPN is off, internet resumes normally (but not secured if not in the hotel room with travel-router)

      Current NAT Rules (simplified)

      Interface           Source           NAT Address            Purpose
WAN_B               172.18.0.6/32    WAN_B addr             Travel router should exit via WAN_B
WAN_A               172.18.0.6/32    WAN_A addr             Fallback (not ideal)
WAN_A               172.18.0.0/24    WAN_A addr             General rule for WG subnet

      Policy Routing Rules

      Interface: wg_server_home
      Source: 172.18.0.6/32
      Gateway: GW_WAN_B_Priority

      Source: 172.18.0.2/32 (test phone)
      Gateway: GW_WAN_A_Priority
      Also tried a floating rule (match) for 172.18.0.2–.5 routed via different VPN gateways → same result.

      Observations

      • WireGuard tunnel works.
      • Outbound NAT works.
      • DNS issues resolved by manually allowing router access to internal DNS.

      BUT: When a client device behind the router tries to set up its own VPN, it fails unless the travel router’s WireGuard tunnel is turned off.

      I suspect this is due to asymmetric routing or stateful firewall/NAT logic?

      Question

      How can I allow clients behind a WireGuard travel router to use their own VPNs, while the travel router itself is tunneled back to pfSense?

      Bonus: Is it possible to selectively route the travel router's tunnel over one WAN, while allowing clients' personal VPNs to exit via a different WAN?

      Any ideas welcome!
      Let me know if there's a smarter approach or a trick we’re missing — thanks in advance!

      I know switching wg-tunnels would bei simple. But this has no women acceptance factor with wife/daughter....

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.