Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard tunnel only allows one way data transfer to internet

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gelcom
      last edited by gelcom

      Hi all, sorry for the noob question but any help is appreciated.

      I have a remote Oracle VM machine running wireguard with the following wg0.conf

      What I want to accomplish is to have all my local internet requests going out via this remote Oracle VM machine.

      [Interface]
      PrivateKey = XXXX
      Address = 10.168.13.2/24
      ListenPort = 51820

      PreUp = sysctl -w net.ipv4.ip_forward=1
      PreUp = iptables -t nat -I POSTROUTING 1 -s 10.168.13.1/24 -o ens3 -j MASQUERADE
      PreUp = iptables -t nat -I POSTROUTING 1 -s 192.168.0.0/16 -o ens3 -j MASQUERADE
      PreUp = iptables -I INPUT 1 -i wg0 -j ACCEPT
      PreUp = iptables -I FORWARD 1 -i ens3 -o wg0 -j ACCEPT
      PreUP = iptables -I FORWARD 1 -i wg0 -o ens3 -j ACCEPT
      PostDown = iptables -t nat -D POSTROUTING -s 10.168.13.1/24 -o ens3 -j MASQUERADE
      PostDown = iptables -t nat -D POSTROUTING -s 192.168.0.0/16 -o ens3 -j MASQUERADE
      PostDOwn = iptables -D INPUT -i wg0 -j ACCEPT
      PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
      PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT

      [Peer]
      PublicKey = XXXX
      Endpoint = pfsense.external.ip:51820

      On my local side I have a pfSense machine with wireguard setup as follows:

      [Interface]
      PrivateKey = XXXXXX
      ListenPort = 51820

      [Peer]
      PublicKey = XXXX
      AllowedIPs = 10.168.13.2/32,0.0.0.0/0
      PersistentKeepalive = 15

      The tunnel is established.

      This wireguard tunnel is assigned to a 10.16.13.1/24 interface.
      This interface was assigned to a gateway with ip address 10.168.13.2

      I also have an outbound NAT mapping rule (Hybrid Outbound NAT rule generation) with this VPN interface with any source/destination with NAT address this interface address.

      On pfSense I created another interface 192.168.16.1/24 and I have a default rule to allow all IPV4 with any source to any destination via the gateway I created from wireguard VPN. I need all data from this interface to go through the VPN.

      When I connect a VM to this interface (192.168.16.100) I get connection to internet from remote wireguard.
      I can download files ok but can't upload.
      If I run a speed test it gets ok on download test but upload test shows 0/0
      Something is blocking my upload.

      Maybe an iptables or routing issue?

      Am I missing something?

      kind regards

      areckethennuA 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, well obviously it's not blocking it completely since you are able to establish outbound connections. It's not a routing issue. Some sort of outbound rate limiting in Oracle Cloud maybe?

        Steve

        G 1 Reply Last reply Reply Quote 0
        • G
          gelcom @stephenw10
          last edited by

          @stephenw10 said in WireGuard tunnel only allows one way data transfer to internet:

          Hmm, well obviously it's not blocking it completely since you are able to establish outbound connections. It's not a routing issue. Some sort of outbound rate limiting in Oracle Cloud maybe?

          Thanks for the reply.

          I think not. If I setup an OpenVPN server on this same machine connection goes both ways perfectly.

          1 Reply Last reply Reply Quote 0
          • G
            gelcom
            last edited by

            Also, if I run a speedtest on this remote machine I get Upload and Download ok! But if I do it remotely via Wireguard VPN tunnel I get only download and upload fails.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Try running an iperf test instead. That should give you actual numbers for the upload rather than just a fail. You can also try initiating the connection both ways to check for firewall rule issue.

              Steve

              1 Reply Last reply Reply Quote 0
              • areckethennuA
                areckethennu @gelcom
                last edited by

                @gelcom I was just researching Wireguard and had just finished Tom Lawrence's tutorial on it. He's got 3 firewall rules (Firewall > Rules > Wireguard, Firewall > Rules > WAN and Firewall > NAT > Outbound) and you only mention 2 (that I can see). In case it helps, here's where he starts talking about the rules:

                https://youtu.be/8jQ5UE_7xds?t=365

                I'm just a home user with pfSense 23.09-RELEASE (amd64) on a Protecli VP2410

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.