Use wireguard peer as a gateway in pfSense (or iptables)

Hey network geniuses, I have a tough one for you.

I want to be able to watch national TV from country B while being located in country A.

Site A: My location

  • Public IPV4
  • Gigabit fiber connection
  • pfSense
  • All the computers (and routers) any sane person could ever need

Site B: Distant family

  • Located at non-technical family
  • Behind CGNAT
  • Has outbound wireguard connection to Site A, which is reliable
  • Grandstream 7062 router, which does not support Tailscale

The issue

I cannot tell pfSense to route traffic through the connection made by an inbound wireguard peer.
Considering Tailscale buit a product doing exactly this, I would assume that pfSense can do it too, albeit with more masochism.

Things I have tried with no success:

  • Creating a gateway in pfSense with the Site B peer IP and forced it on the test client
  • Fiddling with NAT rules in an attempt to force it through the specific wg peer
  • Setting a static route through the wg peer IP
  • Terminating the wg from B->A in a linux box and throwing iptables commands after it

Are there any networking geniuses here that can point out the obvious holes in my logic?

2 Likes

You will need to create an interface for the wireguard client and within that set the upstream gateway to the peer address, this should also automatically create a gateway so make sure you remove the one you already made first.

Then you will need to make some outbound NAT rules if it doesn’t generate them automatically. If there are no automatic rules for the wireguard interface then set it to manual or hybrid and copy the existing automatic rules but for thr wireguard interface rather than the WAN interface.

I do not think I’ve made the weirdness of my case clear.

Site A has a wireguard server.
Site B is the client connecting into Site A.

I want to add a gateway at Site A that routes through the incoming wireguard tunnel and out through Site B.

Have you tried switching the site with the Wireguard Server, meaning site B hosts the Wireguard Server, and site A becomes the client?

Most Television Service Providers now block VPN traffic to their services. This means the providers can detect when a connection is trying to bypass their geo-restrictions and block it.

Site B is behind a carrier grade NAT meaning I have no way of hitting the actual router WG interface from the WAN side.

While true that VPN is blocked by many providers, Site B is in an apartment and on a residential IP, making it much less likely that geo-restrictions will apply.

1 Like

I didn’t see the part of the post where you said Site B used CGNat. You are correct; what I suggested in my last post wouldn’t work. Have you tried hosting an instance of Pfsense inside country B and creating a site-to-site Wireguard connection between the Hosted Pfsense instance and your home Pfsense router?

The hardware I have deployed remotely should have enough bells and whistles and iptables access for this to be possible. Procuring Yet Another ™ pfSense box would probably alleviate the remote configuration somewhat, but the router in place is well into the small enterprise segment so it has all the capabilities I think I need.

To answer your actual question: I have a site-to-site VPN over wireguard with Site B initiating the connection to Site A. It already bridges two subnets, that works fine. I can ping stuff attached to the router on the other end and they can respond.

The issue is at Site A, where I simply cannot fathom how to tell pfSense that one of the incoming peers is a gateway. In pfSense I can only create an interface for a wireguard tunnel and not for a peer.

Edit: clarification

It doesn’t really matter which end is the client or the server the configuration for the interfaces and gateways would be the same.

I have the same configuration.

The site-to-site pfSense guide assumes a public endpoint address in both ends.

When I try, somewhere along the way, the routes go haywire and the packets end in internet limbo.

Well this is my configuration. 10.1.6.1 is the address of the wiregurad server which is on a VPS with a public IP address and 10.1.6.3 is the wireguard address of the peer which is behind CG-NAT.

the interface configuration on the wireguard server:

The interface configuration on the wireguard client:

The gateways on the client machine, the VPS interface is the wireguard gateway, this should generate automatically once the interface is configured.

The outbound NAT rules on the client machine, these were automatically generated for the VPS interface but if they are not then you can just copy an existing rule but change the interface and address to match the wireguard interface and the source address will be the network(s) which will use the wiregurad tunnel for their internet access.

Thanks for the elaborate explanation! I can bridge the two networks, see the gateway on the other end but can’t seem to get it to create routes over that gateway.

I have an OpenVPN client too and in the routes tab I can see 0.0.0.0/1, for my wireguard interface there is only the routes for the allowed IPs I have specified for the connecting peer.

Update: I added 0.0.0.0/0 to the peer and it is routing without issue.