Wireguard - Traffic not being sent through VPN tunnel

stealthmode

Hi,

I have a pretty simple setup, I've deployed WG on pfsense and want to use it as a VPN router for 1 specific IP address only - 192.168.1.201. Here's the configuration that I've made:

• Created the wireguard tunnel
• Added a peer and set the allowed ip to the required one.

• Tunnel status itself is UP.

• This is the tunnel interface configuration

• Here are the firewall rules which show that I'm redirecting traffic to the tunnel interface

• Here are the NAT rules which translate from the specific LAN IP to the interface
  

I've ensured that the laptop in question has the IP 192.168.1.201. Despite that, I'm not sure what I've missed which is causing this failure. Any traffic from this IP is going through the WAN, and not via the VPN.

Bob.Dig

@stealthmode said in Wireguard - Traffic not being sent through VPN tunnel:

Added a peer and set the allowed ip to the required one.

Allowed IP has to be 0.0.0.0/0. Good luck!

stealthmode

@Bob-Dig That worked precisely. Thank you very much!

dandare100

@Bob-Dig This worked for me too, thank you.

Are there any security/routing risks with allowing 0.0.0.0/0 ?

The documentation says that the client subnets that are to be routed through Wireguard should be configured here, but when I configure the VLAN range that I would like routed through the tunnel on my side, nothing is routed.

ie only 0.0.0.0/0 works

Bob.Dig

@dandare100 said in Wireguard - Traffic not being sent through VPN tunnel:

The documentation says that the client subnets that are to be routed through Wireguard should be configured here,

Every possible Source-Address coming in on that interface has to be on the allowed list. And also every possible Destination Address going out to that interface has to be in it. Luckily both are the same usually.

Make a network diagram if you are still unsure.

dandare100

@Bob-Dig Thank you, I appreciate your reply and my learnings.

Below is a quick diagram of my scenario.

I am trying to understand the point that you made by saying they are normally the same.
I have added the VLAN 70 range in the allowed rules. Do I need to add the peer ip too ?

Bob.Dig

@dandare100 This looks like a Privacy-VPN for surfing the web etc. If this is correct, you only need 0.0.0.0/0 because destination outgoing is any and source incoming is also any.

dandare100

@Bob-Dig You are correct. Thank you for the reply. I have peace of mind with the config now. Again, I appreciate the time