Help me setup Gateway

[kevdogg]

Hi - relatively new to WG but I was able to setup a road warrior configuration, however now I'm interested in a site-to-site VPN connection.

Basically want to do a site to site VPN between Home Network/PfSense Router to a Digital Ocean Droplet.
Wireguard setup via GUI on pfsense Digital Ocean Droplet - single instance of Ubuntu

Peer#1 Home Pfsense Router - Created Interface and Assigned a WG tunnel IP address of 10.8.110.1.
LAN behind Pfsense router uses 10.0.1.0/24 addresses WAN IP address of server is pingable 69.xxx.xxx.xxx

Peer#2 Digital Ocean Droplet running Ubuntu Wireguard installed on Ubuntu - wg0 Interface Created and assigned a WG tunnel IP address of 10.8.110.2 WAN IP address of Ubuntu server is pingable 142.xxx.xxx.xxx

Here is my Digital Ocean wg.conf

[Interface]
PrivateKey = <Private Key>
ListenPort = 51821
Address = 10.8.110.2/24
DNS = 10.8.110.1, 10.0.1.1, 9.9.9.9, domain.com
SaveConfig = true

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <Public Key>
PresharedKey = <PSK>
AllowedIPs = 10.0.1.0/24, 10.6.210.0/24
Endpoint = openvpn.domain.com:51821
PersistentKeepAlive = 360

I'm stumbling trying to setup the gateways and routes. I believe I need to setup gateways and routes on both pfsense and Ubuntu-digital ocean. I'm looking for entire 10.0.1.0/24 network to be able access Digital Ocean and also I think I need gateways and routes for the actual Wireguard tunnel addresses. Thanks. I think I'm stumped on this last part.

[flett044]

I did this but I used one of the free oracle VPS tiers. Basically, I used IP tables to forward down the Wireguard tunnel. On the Pfsense side, you need to configure the Wireguard tunnel to have its own interface. Then you need to set up a gateway for the Wireguard tunnel with a static route point to the /24 subnet of whatever your Wireguard network is. I also enabled the static route filtering option in system-advanced-firewal&nat. Make sure on your Pfsense side that 0.0.0.0/0 is in the allowed IPs for the Wireguard peer on Pfsense. Images: https://i.imgur.com/FARnzqs.png https://i.imgur.com/EW2Q474.png https://i.imgur.com/CumQcsn.png https://i.imgur.com/GjhoLxE.png https://i.imgur.com/q9Nex7H.png https://i.imgur.com/DbrtkVZ.png https://i.imgur.com/tPwVQrJ.png

[kevdogg]

Hey I think I figured this out. I didn't use DNAT rules, rather MASQUERADE rules. I've tried to read up on the differences -- mostly MASQUERADE if you're not certain if the IP addresses might change whereas DNAT/SNAT if IP addresses are static. In terms of working with the specifics within pfSense -- it was all kind of tricky -- at least for me. Yes I assigned Wireguard a tunnel with its own interface and assigned the tunnel a specific IP address. I created a gateway for the WG interface and selected the gateway IP address to be dynamic. I then created a static route for the WG network - and assigned the Wireguard network the gateway of the WG interface. I'm not sure of all the ins and outs, however it's also possible to create these gateway assigning a static IP rather than using the dynamic configuration option. I'm assuming the dynamic option is more equivalent to the MASQUERADE option where as assigning as static IP would be more equivalent of the SNAT/DNAT option.