WireGuard overriding static routes

Aerowinder

Greetings,

This is in regards to this Redmine issue: https://redmine.pfsense.org/issues/11326.

I have multiple sites, each behind a router. All of the routers are connected in a fiber loop, using OSPF to handle all of the site-site routing. On one of these sites, I have an internet connection. At that location, I have a pfSense system that connects my fiber loop to the internet.

The pfSense setup is pretty simple, just WAN and LAN interfaces with very few rules, as I let my site routers handle all the site-site traffic. pfSense is only concerned with traffic going to and coming from the Internet.

I ran into a problem when I was setting up the network, and I determined that while my site routers could find pfSense (via default gateways), pfSense did not know how to send packets back to these routers. After some reading, I learned that pfSense is only aware of the networks that it is directly connected to. Makes sense. So, the way I tell pfSense how to send packets to these site routers is via static routes. If a packet comes from router A, B, or C (site routers), send the return packet to the router that is connecting pfSense to the fiber loop, and then that router will know what to do. It's my understanding that this is the purpose of static routes, and I'm not sure how I could set up my network any other way.

Now, in testing 2.5, I want to use WireGuard to make internal network resources available remotely. So in my WireGuard config, I set Allowed IPs to my local networks (the same networks as the pfSense static routes), as these networks are where my devices reside.

When I do this, I lose connectivity to the firewall. WireGuard is hijacking my static routes, breaking connectivity from pfSense to my internal network. My static routes are now being redirected to the wg0 interface, instead of going out of my custom gateway as they normally would.

This is happening with no peers connected to the tunnel. If this is normal WireGuard behavior, then is it even possible to use it on a network setup that requires static routes?

On a separate pfSense network that does not require static routes, I am able to set WireGuard Allowed IPs to internal networks with no issue, though these networks are directly connected to pfSense.

jimp

@aerowinder said in WireGuard overriding static routes:

Now, in testing 2.5, I want to use WireGuard to make internal network resources available remotely. So in my WireGuard config, I set Allowed IPs to my local networks (the same networks as the pfSense static routes), as these networks are where my devices reside.

You have the purpose of that field backwards.

The networks in Allowed IPs are the networks on the peer side that the firewall can reach through that peer. It is not local networks.

WireGuard doesn't have a way to tell peers what they should send to this end -- that's up to the peers themselves.

So you'd set Allowed IPs in the remote peer/client configuration to use your local networks, not on the firewall.

For each peer on the firewall, the Allowed IPs field should only contain the tunnel address of that specific peer/client.

Aerowinder

Wow, I'm a dumb-dumb. Thanks, I really appreciate the help!

jimp

WireGuard is a learning experience for all of us!

We're still refining the GUI labels and documentation to hopefully make all this more clear.