Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I have a WireGuard Server with a WireGuard Client I can only route Client traffic out the WAN interface.

    Scheduled Pinned Locked Moved WireGuard
    4 Posts 2 Posters 475 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elegantd
      last edited by elegantd

      I have the WireGuard (WG) Server working fine and have a WireGuard Client connected with both LAN and WAN access. I would like to know how to have WG Clients connected to my WG server have their traffic exits out a NORD/Surfshark VPN interfaces. ALL VPN interfaces are up and working.
      96dbff62-928b-41ba-a93b-aad5056a57f9-image.png

      As of now I can only have my WG Client traffic exit out the wireguard_home_server interface.
      When I try to choose the NORD/Surfshark interface, I can connect and have access to the LAN but will not have any connectivity to to address outside the LAN.

      My firewall rule for WG clients looks like this

      36fc1923-6cdf-49ef-bc59-c2257e03cb34-image.png
      If I toggle the WAN_DHCP rule off as explained earlier no traffic outside the LAN.

      My firewall rule for WG server looks like this.

      2e5513a3-c891-4396-a8cf-9f8af3976298-image.png

      I am thinking maybe a nat outbound rule needs to be created. I have tried. But no luck.

      My Outbound NAT rules
      da031ed0-8c24-4195-af8f-56fec9dd930e-image.png

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @elegantd
        last edited by Bob.Dig

        @elegantd There is so much wrong on your side, it is really hard to decide where to start... And what does it even mean: "My firewall rule for WG clients" and "My firewall rule for WG server". Usually, if the firewall is connecting towards a Privacy-VPN, this is called a VPN-Client on the firewall. If your phone is connecting to your firewall from the outside, on the firewall it is called a VPN-Server. In a router/firewall everything is named from the point of view of the router/firewall itself.

        If you use WireGuard for the connections to the Privacy-VPN, you usually don't need to configure Outbound NAT, so keep it at automatic (or hybrid, if you also use OpenVPN for that) and remove your faulty rules there.

        Destination is almost never your WAN-address, it is any (IP-address) if it is the internet.

        Also read this:
        https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

        You have to learn a lot if you want this to work. Using the software from the Privacy-VPN-Provider is much easier.

        E 1 Reply Last reply Reply Quote 1
        • E
          elegantd
          last edited by

          Thanks Bob I was making it far more complicated than I needed. I have it fixed now. I have the Wireguard Clients connecting to my pfsense server and the ones I want are going out the nordvpn tunnels.

          1 Reply Last reply Reply Quote 0
          • E
            elegantd @Bob.Dig
            last edited by

            @Bob-Dig Thanks Bob I have it fixed now.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.