Can't route LAN to NORDLYNX Wireguard Client
-
Spent the last couple of days on this, and set it up based mostly on info from a Reddit post, but that was based on the previous version of pFsense.
Initially I setup a Debian 10 VM and installed the nordvpn linux app, configured it for Wireguard, connected and extracted the Keys, IP address, host IP and allowed IPs from the wireguard client to use in pFsense Tunnel / Peer.
in pFsense, I have successfully setup the Tunnel and Peer. The Peer Connection under the VPN > Wireguard > Status shows a green successful handshake so it seems that it is connected.
The notes on Reddit appear to say that the Nordlynx routing GATEWAY should be set to x.x.x.1 and the INTERFACE IPV4 address should be set to x.x.x.2, which is what I have done.
On the main dashboard page, both the GATEWAY and the INTERFACE are shown as being green and Online, although the RTT time for the Gateway shows 0.0ms and I would expect that to be around 150ms which is what the OpenVPN client gateway shows for a server close to the wireguard server.
In the Debian Virtual Machine console that is connected to nordlynx, I can sucessfully ping both the x.x.x.1 and the x.x.x.2 IPs, but in the pfsense console I can only ping the x.x.x.2 ip address and NOT the x.x.x.1 gateway.
Also, in the debian VM, ifconfig shows me that BOTH the IP and the GATEWAY are set to the same IP x.x.x.2 which contradicts what seems to be stated on reddit (I have redacted the actual IP):
DEBIAN VM
nordlynx: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420 inet X.X.X.2 netmask 255.255.255.255 destination X.X.X.2 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 19729977 bytes 23392288464 (21.7 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5933036 bytes 2047582536 (1.9 GiB) TX errors 0 dropped 164207 overruns 0 carrier 0 collisions 0
PFSENSE
tun_wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1500 description: NORDLYNX options=80000<LINKSTATE> inet x.x.x.2 netmask 0xffff0000 groups: wg WireGuard nd6 options=101<PERFORMNUD,NO_DAD>
But I just can't figure out how to route packets from specific client IPs on my LAN, via the INTERFACE and GATEWAY to the nordlynx wireguard server.
I thought all that was needed was a LAN firewall rule to route packets from a LAN client to the GATEWAY, but that does not work, here's what I have:
Firewall Rule
Action: Pass Interface: LAN Address Family: IPV4 Protocol: Any Source: Single Host > 192.168.0.85 (my laptop ip) Destination: Any Advanced > Gateway: The INTERFACE/GATEWAY setup above.
But the packets are not routed from my laptop via the INTERFACE/GATEWAY and a traceroute to a know WAN ip address just stops at the pfsense router.
Any help / suggestions would be much appreciated.
-
I managed to solve this.
I needed to add a NAT rule and fix the allowed IPs in the Peer definitions which used a /32 netmask and should have used a /0 netmask.