Wireguard is not routing any traffic

gabacho4

If it makes you feel better you could specify your lan subnet as the originator. The config guides are meant to cover the basics. You then can tighten things up to your heart’s content with the understanding that mucking around without understanding what you’re doing can result in bad things.

Bob.Dig

@thisisme said in Wireguard is not routing any traffic:

I have set up a Wireguard connection to Surfshark in pfsense

How?

A Former User

That's my setup

and this is the config provided by surfshark

[Interface]
Address = 10.14.0.2/16
PrivateKey = <insert_your_private_key_here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = fJD***********
AllowedIPs = 0.0.0.0/0
Endpoint = de-fra.prod.surfshark.com:51820

I also added a Firewall-Rule to my LAN interface targeting the Gateway NORDVPN1_VPNV4 which is assigned to the interface NORDVPN1 (don't mind the name, I moved from nordvpn last week)

A Former User

I wonder if it's correct to use '10.14.0.2' as the ip address of my interface, but the pfsense documentation says I should put an IP there and it's the only one I have. (DHCP is not working)

I can ping server on the internet from my own clients, but higher traffic is not passing

Bob.Dig

@thisisme I will be looking into this for myself shortly.

A Former User

@gabacho4 said in Wireguard is not routing any traffic:

no that rule is for your network through the interface to the world

I'm still confused. I thought that rules are evaluated when they enter the interface. Traffic from LAN should not enter the Wireguard interface, but traffic from outside. Right?

Bob.Dig

@thisisme said in Wireguard is not routing any traffic:

Right?

Right, don't put any rule on that interface.

A Former User

@bob-dig I found the problem I had to set the MSS on the wireguard interface, but I remain with another problem:

I can't route DNS through wireguard
If I select the the old OpenVPN interface the DNS resolver is working, but with the new Wireguard interface I can't resolve anything. Any idea? DNS is 9.9.9.9

Bob.Dig

@thisisme I am trying right now and for me it is also not working. It is new for them too, maybe they have problems on their side.
Will report here if this changes for me.

A Former User

Just to point it out: I don't had to add firewall rules to the Wireguard tab. This advice is WRONG and DANGEROUS

Bob.Dig

@thisisme Ping and DNS seem to be working for me. I didn't tested DNS within pfSense but just in a Windows VM. But I can't surf anything.

A Former User

@bob-dig have you set the MSS on the Wireguard interface?

Bob.Dig

@thisisme No, I don't think it is a must anyways.

A Former User

@bob-dig for me it don't work without it

Bob.Dig

@thisisme So which size should it be?

A Former User

@bob-dig 1412 seems to work. Maybe you have to play a bit

A Former User

Solved my DNS problem. Looks like wireguard is not adding any routes. I had to add a manual one for the DNS-Address and the gateway

Bob.Dig

Got it working too, thanks for the MTU hint!!
I went with 1420. Without it, it wasn't working.

I didn't need any routes but my setup is different. Also no manual outbound NAT needed, see below.

For IP I went with /32 and changed the IP for the second tunnel myself.

Bob.Dig

Something to note when using Surfshark VPN on pfSense with WireGuard instead of OpenVPN.

You decide which IP will be used > no more overlapping IPs with different tunnels.

No good GUI support for changing the public IP of one tunnel, you have to restart the whole WireGuard service for all the tunnels to change IPs and it takes much longer for a new connection (but it is possible).

In my testing, speed was the same with my hardware.

Bob.Dig

@thisisme I noticed that the performance is lower with WG on ss, more loss etc. What is your experience so far?