Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard - Traffic not being sent through VPN tunnel

    Scheduled Pinned Locked Moved WireGuard
    8 Posts 3 Posters 639 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stealthmode
      last edited by stealthmode

      Hi,

      I have a pretty simple setup, I've deployed WG on pfsense and want to use it as a VPN router for 1 specific IP address only - 192.168.1.201. Here's the configuration that I've made:

      • Created the wireguard tunnel
      • Added a peer and set the allowed ip to the required one.

      1.png

      • Tunnel status itself is UP.

      2.png

      • This is the tunnel interface configuration

      3.png

      • Here are the firewall rules which show that I'm redirecting traffic to the tunnel interface

      4.png

      • Here are the NAT rules which translate from the specific LAN IP to the interface
        5.png

      I've ensured that the laptop in question has the IP 192.168.1.201. Despite that, I'm not sure what I've missed which is causing this failure. Any traffic from this IP is going through the WAN, and not via the VPN.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @stealthmode
        last edited by

        @stealthmode said in Wireguard - Traffic not being sent through VPN tunnel:

        Added a peer and set the allowed ip to the required one.

        Allowed IP has to be 0.0.0.0/0. Good luck!

        S D 2 Replies Last reply Reply Quote 1
        • S
          stealthmode @Bob.Dig
          last edited by

          @Bob-Dig That worked precisely. Thank you very much!

          1 Reply Last reply Reply Quote 0
          • D
            dandare100 @Bob.Dig
            last edited by

            @Bob-Dig This worked for me too, thank you.

            Are there any security/routing risks with allowing 0.0.0.0/0 ?

            The documentation says that the client subnets that are to be routed through Wireguard should be configured here, but when I configure the VLAN range that I would like routed through the tunnel on my side, nothing is routed.

            ie only 0.0.0.0/0 works

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @dandare100
              last edited by

              @dandare100 said in Wireguard - Traffic not being sent through VPN tunnel:

              The documentation says that the client subnets that are to be routed through Wireguard should be configured here,

              Every possible Source-Address coming in on that interface has to be on the allowed list. And also every possible Destination Address going out to that interface has to be in it. Luckily both are the same usually. 😉

              Make a network diagram if you are still unsure.

              D 1 Reply Last reply Reply Quote 0
              • D
                dandare100 @Bob.Dig
                last edited by

                @Bob-Dig Thank you, I appreciate your reply and my learnings.

                Below is a quick diagram of my scenario.

                I am trying to understand the point that you made by saying they are normally the same.
                I have added the VLAN 70 range in the allowed rules. Do I need to add the peer ip too ?

                e634f6ee-c4fe-4305-8e62-7dec3014fd99-image.png

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @dandare100
                  last edited by Bob.Dig

                  @dandare100 This looks like a Privacy-VPN for surfing the web etc. If this is correct, you only need 0.0.0.0/0 because destination outgoing is any and source incoming is also any.

                  D 1 Reply Last reply Reply Quote 1
                  • D
                    dandare100 @Bob.Dig
                    last edited by

                    @Bob-Dig You are correct. Thank you for the reply. I have peace of mind with the config now. Again, I appreciate the time

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.