opnSense routing and wireguard

I have successfully routed all my traffic (lan) through wireguard to linode. Now I want to blacklist a few devices from wireguard and only allow them to connect via WAN (isp wan). Mainly my streaming devices .

@PhaseLockedLoop I noticed you run opnsense. Any ideas?

I also need this to be able to communicate with my other lan devices.

1 Like

I will second this question since I will need to do the same in a couple days.

1 Like

This Blog Post should be helpful:

This does not quite do what i need it to. I need some devices to connect while others to not connect.

static IPs? on those devices you need to eliminate?

I am not following?

Are the devices you wish to block from entering the tunnel statically assigned

If so you can make firewall rules that prevent them from using the static route through the tunnel.

I don’t remember how but I know its very accomplishable with the documentation on it

I have yet to find the correct method of doing this. Head ache inducing…

My limited knowledge on the subject is that, once you connect to a VPN and have a tunnel interface created, you can just do routing through it like any other interface.

OPNSense has a feature to create group of hosts or IPs that you can use in any rule. So, as PLL said, you can either do a static IP on your devices, or map their MAC address in your DHCP server and have them always get the same IP address assigned to them. Take a note of all the IP addresses and create a group called “str8-hosts” or whatever.

Now, you should be able to mess with the routes. I’m not sure which menus you need to follow, but you can have all devices go through the tunnel interface by default and a rule above it saying “str8-hosts go through interface ethX or WAN interface.”

Alternatively, you can just create a special VLAN and subnet for these clients that you don’t want to go through the VPN and instead of having a default route for everything through the tunnel, you only add a special route of the subnets that you want to go through the tunnel, which is what I’d recommend anyway.

This way, you don’t have to deal with groups and you have the subnets that you know are going through the VPN, like say, LAN, WiFi, Services and Guest subnets, while you have the Streaming devices subnet go straight through the WAN.

1 Like

Im using pfSense with ProtonVPN over OpenVPN. Is the Wireguard+OPNsense a superior choice over mine? I have a pretty much pedestrian/normie use case and my setup is functional so far… Its just that I really fundamentally dont know how these work…

1 Like

im running my own vpn to a vps. it is also better yes. openvpn proton gets like 200mbps max where i am at. wireguard going to my own hosted vpn gets like 600mbps.

1 Like

Well my internet speed is well under that at around 50 Mbps and it feels fast enough for me… :rofl:


I completely got it working! @PhaseLockedLoop

There is a firewall setting called floating or whatever. it sits at an elevated place. Does what I need.


This works by adding devices you want to connect to a Firewall Alias, then routing those through the VPN.
He explains it in the blog post.
Or are you trying to do something else?


I had that already. I wanted basically some devices to route normally and others through wireguard.

I think you basically did an inverted version of the rule from the blog post, which is the same as I am using on my router. (picture from the blog)

You specified which devices should not be routed, instead of saying which ones should.
Depends on how you set up routing in the first place, I guess?

so here is what i did.

I do have the entire network going to wireguard minus a select few devices. i.e. nvidia shield, chromecast. I wanted 2 out of 10 devices to not go through wireguard. I want everything else to go through it. i have a network specified going through it. and i have the other devices in a floating rule.

1 Like

I tried it the way the blog said. But it didn’t allow devices to connect outside of the vpn. without having a rule for blacklisting from vpn traffic.

1 Like

I belive that might be if you had the priority of the Wireguard Firewall Rule below the Catch-All Rule.
At least I had issues with that at first.

But I am also routing whole Vlans through a VPN, so that might change the situation a bit.


I would have used LAN or WG rule but this works. It spans all interfaces. Nuclear option but hey you got it working. that’s what matters rn

Eventually figure out how to narrow your rules in floating to LAN and WG. That is better.

1 Like