Site to site wiregard LAN only VPN

wilba · November 4, 2025, 10:00pm

I have a wireguard (server) on a fixed IP that can accept connections, from my 4g cgnatted remote site with at GL Slate.

Slate (GL-A1300, v4.5.22) [Dynamic Endpoint, CGNAT, 4G, 192.168.10.1] << >> [fixed IP, FFTP, 192.168.4.1] pfSense

Some things work some don't, fix one thing and it breaks another. I have tried numerous settings and tested the LAN both ends and WAN, using ping, traceroute and curl.

What i would like
All internet traffic direct, not via the VPN.
LAN traffic to go via the VPN, have a site to site.

I think the most suited to this is VPN Dashboard ...
VPN Policy Based on the Target Domain IP... use vpn 192.168.4.0/24
or
Customize Routing Rules... Target Address 192.168.4.0/24

The VPN allowed IPs are the tunnel, and my remote LAN
AllowedIPs = 10.202.0.0/24, 192.168.4.0/24 (I have tried adding and removing other items here)
Remote Access LAN - ON, IP Masquerading - OFF, Block Non-VPN Traffic - OFF, Allow Access WAN - OFF
Client Virtual IP (IPv4) 10.202.0.2/24
I have added a static route at the fixed IP end to 192.168.10.0/24.

Do i have to use LuCI to add firewall rules or routes or does the GL interface configure that?
Does anyone have any suggestions to make it work for, LAN only site to site, wireguard VPN?

Things that fail include, internet access from the Slate router eg it cant download packages, though it can access the other LAN
Unable to ping a GL Router client NAT ip eg 192.168.10.164 from the other LAN.
Traceroute to 192.168.10.164 ends at the tunnel 10.202.0.2
Can ping, traceroute, curl the router (192.168.10.1) from the other LAN.

xize11 · November 4, 2025, 11:00pm

Hmm🤔, lets see if I understand:

So you have a slate which is behind a cgnat, and at home an pfsense router which functions as a server.

Then you want to not route the presumely vpn clients over the cascaded vpn but routed over wan on the vpns location, and at home I assume where the pfsense is located you want the local lan over the vpn?

I don't think that is archievable on the slate, it would be if some clients bypass your vpn client on the slate over wan by the use of policies, and for the rest it follows vpn but these policies are never aware of the external wan on your pfsense, is it important it needs to follow wan on the pfsense tunnel?

Then you want to set routes with the gateway on pfsense based on source, if the source was lan as interface route over vpn, if source was wgserver route over wan, when creating these static routes make sure to make them as basic as possible, don't select things like on-link, only the gateway and source and maybe the table

this also mean, that likely you want to disable the default route on pfsense but you have to verify by using ip r in the ssh/cli.

bruce · November 5, 2025, 2:53am

Since you have configured the subnets in the AllowedIPs of the VPN profile, I think you only want to access 10.202.0.0/24 and 192.168.4.0/24 via the VPN, and the others go to the WAN.
Please try switching the VPN mode to "Auto Detect".