@Gertjan said in How do I route outgoing email over WireGuard Tunnel?:

Of course I use have DANE available and set up :

I just noticed I had to recreate the TLSA records, something with Let's Encrypt must have changed. I hope I am good now for some time...

@felipefonsecabh said in Make a Túnnel trought IPSSEC and OpenVPN using PFSense:

Router of External Access can ping DVC1

What source IP does it use for that?
To pass the IPSec tunnel it must be in he 192.168.15.0/24 subnet.
In which case it can only be the External Access router blocking traffic clients on it's LAN. Or potentially redirecting traffic past the IPSec tunnel?
What is that device?

Steve

That's right, though you do have to watch that the rules on your tunnel interface have reply-to in the ruleset. For GIF/GRE, they should have it by default, but double check that to be certain. You need that because otherwise the reply packets would take your default route outbound no matter what you have set on the rules.

Also make sure you don't have any outbound NAT active on the tunnel interface.

One last note, I strongly suggest you put devices using those public addresses on their own segment like a DMZ interface. It's a bad practice to mix public and private subnet traffic on an interface for a variety of reasons. So unless LAN is dedicated to using only the public addresses, you should make another interface.