Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't route LAN to NORDLYNX Wireguard Client

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crankshaft
      last edited by crankshaft

      Spent the last couple of days on this, and set it up based mostly on info from a Reddit post, but that was based on the previous version of pFsense.

      Initially I setup a Debian 10 VM and installed the nordvpn linux app, configured it for Wireguard, connected and extracted the Keys, IP address, host IP and allowed IPs from the wireguard client to use in pFsense Tunnel / Peer.

      in pFsense, I have successfully setup the Tunnel and Peer. The Peer Connection under the VPN > Wireguard > Status shows a green successful handshake so it seems that it is connected.

      The notes on Reddit appear to say that the Nordlynx routing GATEWAY should be set to x.x.x.1 and the INTERFACE IPV4 address should be set to x.x.x.2, which is what I have done.

      On the main dashboard page, both the GATEWAY and the INTERFACE are shown as being green and Online, although the RTT time for the Gateway shows 0.0ms and I would expect that to be around 150ms which is what the OpenVPN client gateway shows for a server close to the wireguard server.

      In the Debian Virtual Machine console that is connected to nordlynx, I can sucessfully ping both the x.x.x.1 and the x.x.x.2 IPs, but in the pfsense console I can only ping the x.x.x.2 ip address and NOT the x.x.x.1 gateway.

      Also, in the debian VM, ifconfig shows me that BOTH the IP and the GATEWAY are set to the same IP x.x.x.2 which contradicts what seems to be stated on reddit (I have redacted the actual IP):

      DEBIAN VM

      nordlynx: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet X.X.X.2  netmask 255.255.255.255  destination X.X.X.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 19729977  bytes 23392288464 (21.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5933036  bytes 2047582536 (1.9 GiB)
        TX errors 0  dropped 164207 overruns 0  carrier 0  collisions 0

      PFSENSE

      tun_wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1500
	description: NORDLYNX
	options=80000<LINKSTATE>
	inet x.x.x.2 netmask 0xffff0000
	groups: wg WireGuard
	nd6 options=101<PERFORMNUD,NO_DAD>

      But I just can't figure out how to route packets from specific client IPs on my LAN, via the INTERFACE and GATEWAY to the nordlynx wireguard server.

      I thought all that was needed was a LAN firewall rule to route packets from a LAN client to the GATEWAY, but that does not work, here's what I have:

      Firewall Rule

      Action: Pass
Interface: LAN
Address Family: IPV4
Protocol: Any
Source: Single Host > 192.168.0.85 (my laptop ip)
Destination: Any
Advanced > Gateway: The INTERFACE/GATEWAY setup above.

      But the packets are not routed from my laptop via the INTERFACE/GATEWAY and a traceroute to a know WAN ip address just stops at the pfsense router.

      Any help / suggestions would be much appreciated.

      C 1 Reply Last reply Reply Quote 0
      • C
        crankshaft @crankshaft
        last edited by

        I managed to solve this.

        I needed to add a NAT rule and fix the allowed IPs in the Peer definitions which used a /32 netmask and should have used a /0 netmask.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.