# PF's 'route-to' does not work via WireGuard VPN



## quicktrick (Nov 15, 2020)

I have a solution working fine via OpenVPN.  I can't make it working via WireGuard VPN.

I have a self-made router/firewall on FreeBSD 12.1 and PF. I need some hosts in my local network to go to the internet strictly via VPN. The other hosts go to the internet via my WAN connection.

I have a working solution, which I've been using for several years, that works fine via OpenVPN.  But the same solution does not work via WireGuard VPN.

My PF config for OpenVPN (clipped):


```
ext_if="igb0"
int_if_servers="igb1"
lan_net = "192.168.0.0/16"
vpn_if="tun0"
vpn_gw="10.8.0.5"
vpn_resolver="10.8.0.1"
table <vpn_users> { $qnap $voyo }

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on $vpn_if from !($vpn_if) -> ($vpn_if:0)
# Redirect <vpn_users>' DNS queries to VPN resolver
rdr pass on $int_if_servers inet proto { tcp udp } from <vpn_users> to $int_if_servers port domain -> $vpn_resolver
# Route <vpn_users>' WAN packets to VPN
pass in quick on $int_if_servers route-to ($vpn_if $vpn_gw) inet from <vpn_users> to ! $lan_net
```
When I try to use it with WireGuard I only replace

```
vpn_if="wg0"
vpn_gw="10.40.40.1"
vpn_resolver="10.40.40.1"
```

My WireGuard config:

```
[Interface]
PrivateKey = .....
Address = 10.40.40.2/24

[Peer]
PublicKey = .....
AllowedIPs = 10.40.40.1/32
#AllowedIPs = 10.40.40.0/24, 216.239.0.0/16  # the second subnet is for testing 'ipinfo.io'
Endpoint = 123.123.123.123:123
```
My remote WireGuard server answers DNS queries fine.
From the router itself:

```
➜ ~ # nslookup ipinfo.io
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   ipinfo.io
Address: 216.239.32.21
Name:   ipinfo.io
Address: 216.239.34.21
Name:   ipinfo.io
Address: 216.239.38.21
Name:   ipinfo.io
Address: 216.239.36.21

➜ ~ # nslookup ipinfo.io 10.40.40.1
Server:         10.40.40.1
Address:        10.40.40.1#53

Non-authoritative answer:
Name:   ipinfo.io
Address: 216.239.32.21
Name:   ipinfo.io
Address: 216.239.36.21
Name:   ipinfo.io
Address: 216.239.34.21
Name:   ipinfo.io
Address: 216.239.38.21
```
From the host in my local network:

```
[admin@QNAP ~]# nslookup ipinfo.io
Server:    192.168.1.1
Address 1: 192.168.1.1

Name:      ipinfo.io
Address 1: 216.239.32.21 any-in-2015.1e100.net
Address 2: 216.239.36.21 any-in-2415.1e100.net
Address 3: 216.239.34.21 any-in-2215.1e100.net
Address 4: 216.239.38.21 any-in-2615.1e100.net
```
But WireGuard does not transmit other packages (in the contrary to OpenVPN).

But if I uncomment the second (commented) line in my wg0.conf

```
AllowedIPs = 10.40.40.0/24, 216.239.0.0/16  # the second subnet is for testing 'ipinfo.io'
```

then it works for 'ipinfo.io'.  But it transmits all the packages to 'ipinfo.io' via wg0, not only those from my vpn_users.

From the router itself:

```
➜ ~ # curl ipinfo.io/ip
123.123.123.123
```
From the host in my local network:

```
[admin@QNAP ~]# curl ipinfo.io/ip
123.123.123.123
```
Am I doing anything wrong?  Or is there a way to get the same functionality with WireGuard that I get with OpenVPN?

*Edit:*
There is one thing, a little difference in the interfaces of OpenVPN and WireGuard

OpenVPN

```
➜ ~ # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::ca60:ff:fee7:9690%tun0 prefixlen 64 scopeid 0x9
        inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 27003

➜ ~ # netstat -nrW4
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            xxx.xxx.xxx.217     UGS    77464605   1500       igb0
10.8.0.1/32        10.8.0.5           UGS           1   1500       tun0
10.8.0.5           link#9             UH            0   1500       tun0
10.8.0.6           link#9             UHS           0  16384        lo0
xxx.xxx.xxx.216/30  link#1             U             0   1500       igb0
xxx.xxx.xxx.218     link#1             UHS          13  16384        lo0
yyy.yyy.yyy.187/32  xxx.xxx.xxx.217     UGS         113   1500       igb0
127.0.0.1          link#5             UH     697558789  16384        lo0
192.168.1.0/24     link#2             U      356783723   1500       igb1
192.168.1.1        link#2             UHS           0  16384        lo0
192.168.2.0/24     link#6             U      125869541   1500      vlan2
192.168.2.1        link#6             UHS           0  16384        lo0
192.168.3.0/24     link#4             U      82604312   1500       igb3
192.168.3.1        link#4             UHS           0  16384        lo0
192.168.10.0/24    192.168.1.10       UGS    24564819   1500       igb1
192.168.20.0/24    link#7             U             0   1500     vlan20
192.168.20.1       link#7             UHS           0  16384        lo0
```
WireGuard

```
➜ ~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffff00
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 49419

➜ ~ # netstat -nrW4
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            xxx.xxx.xxx.217     UGS    77463727   1500       igb0
10.40.40.1/32      wg0                US           12   1420        wg0
10.40.40.2         link#9             UH            0   1420        wg0
xxx.xxx.xxx.216/30  link#1             U             0   1500       igb0
xxx.xxx.xxx.218     link#1             UHS          13  16384        lo0
127.0.0.1          link#5             UH     697558566  16384        lo0
192.168.1.0/24     link#2             U      356783113   1500       igb1
192.168.1.1        link#2             UHS           0  16384        lo0
192.168.2.0/24     link#6             U      125868686   1500      vlan2
192.168.2.1        link#6             UHS           0  16384        lo0
192.168.3.0/24     link#4             U      82604218   1500       igb3
192.168.3.1        link#4             UHS           0  16384        lo0
192.168.10.0/24    192.168.1.10       UGS    24564816   1500       igb1
192.168.20.0/24    link#7             U             0   1500     vlan20
192.168.20.1       link#7             UHS           0  16384        lo0
```
So, for OpenVPN there is

```
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
```
For WireGuard there is

```
inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffff00
```
Could this be the cause of the WireGuard routing issues?

*Edit2*:
Another try with /32 netmask

```
[Interface]
PrivateKey = .....
Address = 10.40.40.2/32
```


```
➜ ~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.40.40.2 --> 10.40.40.2 netmask 0xffffffff
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 56588
```
The routing table is the same. And everything other is the same too. DNS resolution from the remote server works fine. But 'root-to' does not work either.


----------

