Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Instruction: Wireguard to vpn provider (vpnunlimited) only for a specific subnet

    Scheduled Pinned Locked Moved WireGuard
    1 Posts 1 Posters 888 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bthovenB
      bthoven
      last edited by bthoven

      My requirement:
      Any devices wirelessly connect to a specific SSID on my access point will get internet access through my VPN provider (vpnunlimited) automatically.
      The SSID associates with a VLAN and has a separate subnet defined in my pfSense (v.2.5.2).

      I'll skip the part where I setup vlan and a separate subnet on my main AP and pfSense. Just ensure your device can access internet, without VPN, after this preliminary step.

      Summary setup steps:

      1. obtain WireGuard setup configuration from your VPN provider website
      2. start setup on pfSense:
        2.1 create a new WireGuard VPN tunnel, interface, and gateway
        2.2 create a new peer
        2.3 specify VPN dns server in the dns servers section in DHCP service of your desired subnet. This will ensure no dns leak.

      Detailed steps:

      obtain WireGuard setup configuration from your VPN provider website
      c5fdf972-6e2a-495c-bad8-e4cb305eba51-image.png

      On pfSense, create a new WireGuard tunnel and peer
      84f6bf85-1fb5-472a-83d9-f8e9a759f733-image.png

      Add a new interface for the tunnel:
      27c27348-0fdc-4b37-9aae-22cc4c9973f1-image.png

      Interface setup and also add a new gateway
      c1e259fc-2c9c-4c4d-9a8d-376d50edaf04-image.png

      The new gateway added
      2c14fe3b-1ee5-4ad7-9299-b0d3276fdcf6-image.png

      Up to this step, you should see the handshake between your pfSense and your WireGuard VPN provider
      2958c185-f886-4f48-91cd-0095c47c5e04-image.png

      If you add the bandwidth and gateway dashboard, you should see the connection activities.
      5f6ec520-44a9-41f2-927e-e16838fa7b28-image.png
      e4bde1c2-54d1-4117-b5c8-2b4f80eca131-image.png

      As your WireGuard has an online and good handshake status, you can now move on to define which network in your pfSense want to access through this VPN tunnel. In my case, I want the whole subnet named BBC_WG_VLAN11 to access VPN automatically. So I have to change its gateway to the WireGuard new gateway I created in the earlier step above, by going to the firewall rule:
      6a67567a-5a82-4af0-8d62-f513eccae4b3-image.png

      Inside the rule, ensure you choose your source to be the whole subnet (my own requirement) and under the Advanced Option, choose the VPN gateway

      Note: if you want only a specific IP, on your main LAN, to always go through VPN, you may create another firewall rule in your main LAN interface, specify a single host and putting the IP. Don't forget to specify the VPN gateway for that rule too
      1ca173fd-8bed-4d7f-921d-2aa30fe4daf7-image.png
      under the Advanced Option, choose a VPN gateway
      77d3983d-2c26-4d16-b593-d50178e9e1eb-image.png

      That's all the setups. Now you can use your device wifi to connect to the SSID and run a speed test, you should see two strange server names.

      You may also go to dnsleak.com to check whether you have dns leak or not. It won't leak if you set up right.

      Please let me know whether you find this instruction useful; or I should improve any settings above.

      Thank you.

      1 Reply Last reply Reply Quote 2
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.