PF's 'route-to' does not work via WireGuard VPN

Q

quicktrick

I have a solution working fine via OpenVPN. I can't make it working via WireGuard VPN.

I have a self-made router/firewall on FreeBSD 12.1 and PF. I need some hosts in my local network to go to the internet strictly via VPN. The other hosts go to the internet via my WAN connection.

I have a working solution, which I've been using for several years, that works fine via OpenVPN. But the same solution does not work via WireGuard VPN.

My PF config for OpenVPN (clipped):

Code: 
ext_if="igb0"
int_if_servers="igb1"
lan_net = "192.168.0.0/16"
vpn_if="tun0"
vpn_gw="10.8.0.5"
vpn_resolver="10.8.0.1"
table <vpn_users> { $qnap $voyo }

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on $vpn_if from !($vpn_if) -> ($vpn_if:0)
# Redirect <vpn_users>' DNS queries to VPN resolver
rdr pass on $int_if_servers inet proto { tcp udp } from <vpn_users> to $int_if_servers port domain -> $vpn_resolver
# Route <vpn_users>' WAN packets to VPN
pass in quick on $int_if_servers route-to ($vpn_if $vpn_gw) inet from <vpn_users> to ! $lan_net
When I try to use it with WireGuard I only replace
Code: 
vpn_if="wg0"
vpn_gw="10.40.40.1"
vpn_resolver="10.40.40.1"

My WireGuard config:
Code: 
[Interface]
PrivateKey = .....
Address = 10.40.40.2/24

[Peer]
PublicKey = .....
AllowedIPs = 10.40.40.1/32
#AllowedIPs = 10.40.40.0/24, 216.239.0.0/16  # the second subnet is for testing 'ipinfo.io'
Endpoint = 123.123.123.123:123
My remote WireGuard server answers DNS queries fine.
From the router itself:
Code: 
➜ ~ # nslookup ipinfo.io
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ipinfo.io
Address: 216.239.32.21
Name:   ipinfo.io
Address: 216.239.34.21
Name:   ipinfo.io
Address: 216.239.38.21
Name:   ipinfo.io
Address: 216.239.36.21

➜ ~ # nslookup ipinfo.io 10.40.40.1
Server:         10.40.40.1
Address:        10.40.40.1#53

Non-authoritative answer:
Name:   ipinfo.io
Address: 216.239.32.21
Name:   ipinfo.io
Address: 216.239.36.21
Name:   ipinfo.io
Address: 216.239.34.21
Name:   ipinfo.io
Address: 216.239.38.21
From the host in my local network:
Code: 
[admin@QNAP ~]# nslookup ipinfo.io
Server:    192.168.1.1
Address 1: 192.168.1.1

Name:      ipinfo.io
Address 1: 216.239.32.21 any-in-2015.1e100.net
Address 2: 216.239.36.21 any-in-2415.1e100.net
Address 3: 216.239.34.21 any-in-2215.1e100.net
Address 4: 216.239.38.21 any-in-2615.1e100.net
But WireGuard does not transmit other packages (in the contrary to OpenVPN).

But if I uncomment the second (commented) line in my wg0.conf
Code: 
AllowedIPs = 10.40.40.0/24, 216.239.0.0/16  # the second subnet is for testing 'ipinfo.io'

then it works for 'ipinfo.io'. But it transmits all the packages to 'ipinfo.io' via wg0, not only those from my vpn_users.

From the router itself:
Code: 
➜ ~ # curl ipinfo.io/ip
123.123.123.123
From the host in my local network:
Code: 
[admin@QNAP ~]# curl ipinfo.io/ip
123.123.123.123
Am I doing anything wrong? Or is there a way to get the same functionality with WireGuard that I get with OpenVPN?

Edit:
There is one thing, a little difference in the interfaces of OpenVPN and WireGuard

OpenVPN
Code: 
➜ ~ # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::ca60:ff:fee7:9690%tun0 prefixlen 64 scopeid 0x9
        inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 27003

➜ ~ # netstat -nrW4
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            xxx.xxx.xxx.217     UGS    77464605   1500       igb0
10.8.0.1/32        10.8.0.5           UGS           1   1500       tun0
10.8.0.5           link#9             UH            0   1500       tun0
10.8.0.6           link#9             UHS           0  16384        lo0
xxx.xxx.xxx.216/30  link#1             U             0   1500       igb0
xxx.xxx.xxx.218     link#1             UHS          13  16384        lo0
yyy.yyy.yyy.187/32  xxx.xxx.xxx.217     UGS         113   1500       igb0
127.0.0.1          link#5             UH     697558789  16384        lo0
192.168.1.0/24     link#2             U      356783723   1500       igb1
192.168.1.1        link#2             UHS           0  16384        lo0
192.168.2.0/24     link#6             U      125869541   1500      vlan2
192.168.2.1        link#6             UHS           0  16384        lo0
192.168.3.0/24     link#4             U      82604312   1500       igb3
192.168.3.1        link#4             UHS           0  16384        lo0
192.168.10.0/24    192.168.1.10       UGS    24564819   1500       igb1
192.168.20.0/24    link#7             U             0   1500     vlan20
192.168.20.1       link#7             UHS           0  16384        lo0
WireGuard
Code: 
➜ ~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffff00
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 49419

➜ ~ # netstat -nrW4
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            xxx.xxx.xxx.217     UGS    77463727   1500       igb0
10.40.40.1/32      wg0                US           12   1420        wg0
10.40.40.2         link#9             UH            0   1420        wg0
xxx.xxx.xxx.216/30  link#1             U             0   1500       igb0
xxx.xxx.xxx.218     link#1             UHS          13  16384        lo0
127.0.0.1          link#5             UH     697558566  16384        lo0
192.168.1.0/24     link#2             U      356783113   1500       igb1
192.168.1.1        link#2             UHS           0  16384        lo0
192.168.2.0/24     link#6             U      125868686   1500      vlan2
192.168.2.1        link#6             UHS           0  16384        lo0
192.168.3.0/24     link#4             U      82604218   1500       igb3
192.168.3.1        link#4             UHS           0  16384        lo0
192.168.10.0/24    192.168.1.10       UGS    24564816   1500       igb1
192.168.20.0/24    link#7             U             0   1500     vlan20
192.168.20.1       link#7             UHS           0  16384        lo0
So, for OpenVPN there is
Code: 
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
For WireGuard there is
Code: 
inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffff00
Could this be the cause of the WireGuard routing issues?

Edit2:
Another try with /32 netmask
Code: 
[Interface]
PrivateKey = .....
Address = 10.40.40.2/32
Code: 
➜ ~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffffff
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 56588
The routing table is the same. And everything other is the same too. DNS resolution from the remote server works fine. But 'root-to' does not work either.
 
Last edited:
You must log in or register to reply here.
Back
Top