Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    impossible to route all traffic from mobile WG-Clients to Internet

    Scheduled Pinned Locked Moved
    WireGuard
    1
    2
    163
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eagle61
      last edited by

      Hello, i do have a strange problem with wireguard. It is impossible to route all traffic from android and Linux mobile devices via wiregurad to the internet.
      I do have a working wiregurad connection. On mobile devices clients (Android, Linux)AllowedIPs is stet to 0.0.0.0/0 to route all traffic, including Internet traffic, across the tunnel.
      Also i do have a Firewall rule (Firewall/Rules/WireGuard) set to allow both any ipv4 and ipv6 allowed for any Source, any Port to any Destination and any Port.
      The strange result is i cant even ping 8.8.8.8 from a device connected via wireguard to pfsense. But i am able to ping ipv6 adresses and open google (if i add an ipv6 dns-server to the namesever field in client config) via ipv6 from same devices same time. So i can only access ipv6 internet via the wireguard tunnel.
      What the hell is wrong with the ipv4 on the tunnel?
      But all interneal device, o Matter in LAN, WLAN or DMZ are reachable from outside via the wireguard tunnel via ipv4.
      So just the forwarding of ipv4 traffic from tunnel to internet is not working.
      Let me write someting to my config of wireguard.
      Before i setup the wireguard config for mobile devices i was setting up a wireguard config for a fritzbox. The wireguard config for fritzbox is working fine and its using WGTun0.
      The wireguard config for mobile devices uses WGTun1.
      Both use separate Networks. The rules are defined in Firewall/Rules/WireGuard, not in Firewall/Rules/WGTUN0.
      So any suggestion what went wrong?
      Oh an with OpenVPN i do not have any of this problems. With OpenVPN i am able to route all traffic from mobile devices (Android, Linux) via VPN to the internet. I need to do so, because some times i do internet banking or such from WLAN's like in a Cafe, Hotel or so and then i will do that via encrypted VPN of my own control.

      1 Reply Last reply Reply Quote 0
      • E
        eagle61
        last edited by

        Okay, i got it fixed up myself.

        It was the "Advanced Outbound NAT Entry" (Firewall / NAT / Outbound).
        Rules defined there does not work if not "Outbound NAT Mode" is set at least to "Hybrid Outbound NAT rule generation". I did not marked that and therefor the defined rules below was ignored.
        And without an appropiate Outbound NAT rule it is impossible to route via Wireguard all internet traffic from clients via the tunnel.
        OpenVPN does not need such a rule or (most likely) generate the needed rules automatically (similar to IPsec). The standard "Outbound NAT Mode" is set to the entry "Automatic outbound NAT rule generation.
        (IPsec passthrough included)". So I suspect the outbound NAT rules will be generated for both IPsec and OpenVPN automaticaly, but not automaticaly for Wireguard.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post