Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard Site-to-Site VPN: Route for 192.168.2.0/24 Missing in Routing Table

    Scheduled Pinned Locked Moved WireGuard
    4 Posts 3 Posters 196 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomasenskede
      last edited by tomasenskede

      Dear Netgate Support,

      I am writing to report a persistent issue with my WireGuard site-to-site VPN configuration on pfSense. Despite the WireGuard tunnel being successfully established with a Teltonika RUT950 (client), traffic from my pfSense LAN (192.168.1.0/24) to the RUT950's LAN (192.168.2.0/24) is not being routed correctly through the VPN. A tracert to 192.168.2.1 consistently shows the traffic routing out to the internet, rather than across the VPN tunnel.

      Upon inspecting the pfSense routing table (Diagnostics -> Routes), I've confirmed that there is no route for 192.168.2.0/24 that points to the WireGuard interface (tun_wg0 or wg0).

      This behavior is unexpected because:

      • The WireGuard* peer configuration for the RUT950 (named "Orion" on my pfSense) explicitly lists 192.168.2.0/24 under "Allowed IPs". According to WireGuard's design and pfSense documentation, this setting should automatically create the necessary route in the kernel's routing table.
      • The WireGuard handshake between pfSense and the RUT950 is active and stable, with data consistently being transmitted and received, indicating the underlying tunnel is functional.

      My current configuration includes:

      • pfSense WireGuard Interface: Configured with 10.0.0.1/24.
      • pfSense Peer "Orion" (RUT950):
      • Public Key matches RUT950's.
      • "Allowed IPs" set to 192.168.2.0/24.
      • "Dynamic Endpoint" enabled.
      • list itempfSense Firewall Rules (WG0): Two "Pass" rules are in place, allowing "Any" protocol traffic between 192.168.1.0/24 and 192.168.2.0/24 in both directions.

      I have performed the following troubleshooting steps on pfSense without resolving the missing route issue:

      • Restarted the WireGuard service via Status -> Services.
      • Toggled the "Enable Peer" option for the "Orion" peer (VPN -> WireGuard -> Peers), saving and applying changes after each toggle.
      • Removed a previously added, incorrect manual gateway under System -> Routing -> Gateways that was pointing to 10.0.0.1/24.

      On the RUT950 side:

      • WireGuard Interface IP: 10.0.0.2/24.
      • WireGuard Peer (pfSense): "Allowed IPs" set to 192.168.1.0/24 with "Route allowed IPs" enabled.
      • Firewall: The "Forward" policy for the WireGuard zone (named "wireguard") has been explicitly set to Accept.
      • The RUT950 has been rebooted after all configuration changes.

      Given that the handshake is established and "Allowed IPs" are configured, the absence of the route in pfSense's routing table is the primary roadblock.

      Could you please investigate why this route is not being added automatically and provide guidance on resolving this?

      Thank you,

      chpalmerC J 2 Replies Last reply Reply Quote 0
      • chpalmerC
        chpalmer @tomasenskede
        last edited by chpalmer

        @tomasenskede

        System / Routing / Gateways ? You did add a gateway and static route correct?

        I am not affiliated with support but do have this working myself.. just not on an RUT950

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • J
          Jarhead @tomasenskede
          last edited by

          @tomasenskede Wireguard doesn't add routes automatically. And adding the "allowed IP's" is not the same as routes.
          As stated, you need to add routes manually with Wireguard.

          T 1 Reply Last reply Reply Quote 0
          • T
            tomasenskede @Jarhead
            last edited by

            @Jarhead said in WireGuard Site-to-Site VPN: Route for 192.168.2.0/24 Missing in Routing Table:

            @tomasenskede Wireguard doesn't add routes automatically. And adding the "allowed IP's" is not the same as routes.
            As stated, you need to add routes manually with Wireguard.

            THANKS! when I add a gatewate and static routing it started to work fine, thanks @Jarhead

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.