I have successfully routed all my traffic (lan) through wireguard to linode. Now I want to blacklist a few devices from wireguard and only allow them to connect via WAN (isp wan). Mainly my streaming devices .
My limited knowledge on the subject is that, once you connect to a VPN and have a tunnel interface created, you can just do routing through it like any other interface.
OPNSense has a feature to create group of hosts or IPs that you can use in any rule. So, as PLL said, you can either do a static IP on your devices, or map their MAC address in your DHCP server and have them always get the same IP address assigned to them. Take a note of all the IP addresses and create a group called “str8-hosts” or whatever.
Now, you should be able to mess with the routes. I’m not sure which menus you need to follow, but you can have all devices go through the tunnel interface by default and a rule above it saying “str8-hosts go through interface ethX or WAN interface.”
Alternatively, you can just create a special VLAN and subnet for these clients that you don’t want to go through the VPN and instead of having a default route for everything through the tunnel, you only add a special route of the subnets that you want to go through the tunnel, which is what I’d recommend anyway.
This way, you don’t have to deal with groups and you have the subnets that you know are going through the VPN, like say, LAN, WiFi, Services and Guest subnets, while you have the Streaming devices subnet go straight through the WAN.
Im using pfSense with ProtonVPN over OpenVPN. Is the Wireguard+OPNsense a superior choice over mine? I have a pretty much pedestrian/normie use case and my setup is functional so far… Its just that I really fundamentally dont know how these work…
im running my own vpn to a vps. it is also better yes. openvpn proton gets like 200mbps max where i am at. wireguard going to my own hosted vpn gets like 600mbps.
This works by adding devices you want to connect to a Firewall Alias, then routing those through the VPN.
He explains it in the blog post.
Or are you trying to do something else?
I do have the entire network going to wireguard minus a select few devices. i.e. nvidia shield, chromecast. I wanted 2 out of 10 devices to not go through wireguard. I want everything else to go through it. i have a network specified 192.168.45.1/24 going through it. and i have the other devices in a floating rule.
I tried it the way the blog said. But it didn’t allow devices to connect outside of the vpn. without having a rule for blacklisting from vpn traffic.