• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Forcing WG to use an specific WAN interface to build the tunnel

Scheduled Pinned Locked Moved WireGuard
2 Posts 1 Posters 994 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mikee
    last edited by mikee Mar 12, 2022, 7:26 PM Mar 12, 2022, 7:24 PM

    Hi all. I need your help.

    I have a device with two WAN connections. I need to build two WG tunnels, one over each interface, to a common remote destination. For this I have the standard configuration with dedicated interface and gateway for each of the tunnels.

    The general default gateway of the device is 'WAN' and the first WG tunnel uses it to build the connection with the remote. So far, so good. I need a way to tell the second WG tunnel to use the other interface 'WAN2' to build theirs.

    I have tried to force it by setting WAN2 as the gateway in the firewall rule (of course first configuring WG to not use the generic group in the Settings section of the plugin in VPN->WireGuard->Settings:interface group membership->none and setting a different gateway in the correspondent FW rules).

    So far this does not work and both tunnels are using the same interface 'WAN' to build their connections. You can see, in the remote end, that both tunnels are comming from the same public IP address.

    Is there any mechanism to achieve that?

    Thanks for your help.

    1 Reply Last reply Reply Quote 0
    • M
      mikee
      last edited by Mar 12, 2022, 11:47 PM

      Well. I reply myself.

      As @cmcdonald (developer of the wireguard package so someone to listen to) says in a reply to another post (https://forum.netgate.com/topic/164360/wireguard-site-to-site-issues/13):

      The only way to force WireGuard out a particular interface currently is to create a static host route (i.e. a /32 or /128 route pointing at the remote WireGuard peer endpoint IP) out a particular gateway.

      I stick my hope on the word 'currently': Even this being the actual state of the product it would be great if there were some way to manually bind a WG VPN to a given interface. There are cases where setting up a route to achieve that automatic binding is not possible (like my case where the remote endpoint is the same for both tunnels). This is already allowed both in openVPN and IPSec VPNs so it should also be a good thing that WG also had the option.

      So I beg the developers, if they are monitoring this forum, to add this GREAT enhancement to an other way outstanding product.

      Thanks for your time and effort.

      1 Reply Last reply Reply Quote 0
      • T thiasaef referenced this topic on Mar 25, 2022, 10:41 AM
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received