pfSense policy based routing from remote access wireguard to wireguard privacy network

boomshankerx1 · March 16, 2026, 7:53am

I have successfully setup wireguard remote access with policy routing to NordVPN via OpenVPN for non-local traffic. I decided to try to do the same thing from WireGuard to wireguard but seem to be hitting a brick wall. The policy-based routing doesn’t seem to send the traffic down the WG_NORD gateway like it did when the gateway was OpenVPN. Has anyone successfully provided a WireGuard tunnel as a gateway in this manner?

svirepi · March 16, 2026, 7:57am

You need to create a NAT rule that will translate your WireGuard tunnel traffic to NordVPN WireGuard traffic. Without NAT rules, policy routing wont work. Also make sure that you have your WireGuard clients configured to accept traffic from 0.0.0.0/0.

boomshankerx1 · March 16, 2026, 8:03am

I did have everything working with OpenVPN. The same setup doesn’t seem to work wireguard to wireguard unless there is some detail I’m missing.

svirepi · March 16, 2026, 8:25am

On your remote access WireGuard settings set allowed IP`s to 0.0.0.0/0

boomshankerx1 · March 16, 2026, 8:28am

Yes I added more screenshots to my original.

svirepi · March 16, 2026, 8:35am

I saw that. You are not reading what i said. Set your allowed ips on Remote Access tunnel to 0.0.0.0/0. According to your screenshot, you have them set to 10.10.0.2/32 and 10.10.0.3/32.

boomshankerx1 · March 16, 2026, 8:52am

When I do that I lose remote access so I kept 10.10.0.x/32 and also added 0.0.0.0/0. Remote access works but my internet traffic ends up going out WAN instead of NORD. It’s like the gateway policy is being ignored.

svirepi · March 16, 2026, 8:56am

Thats because your firewall rule order is wrong. You need to flip that. You also need to specify a gateway in your firewall rule for LOCAL_NETS.

boomshankerx1 · March 16, 2026, 8:58am

I followed Toms guide to set that up. LOCAL_NETS are my LANS. If it’s not destined for the LAN then route through NORD. This works for OpenVPN. I also turned on packet logging on the rule that sets the gateway and I see log entries there.

boomshankerx1 · March 16, 2026, 9:24am

I figured it out. With wireguard the Gateway has to be created inside the interface. This step is automatic in OpenVPN.

2. Configure the IPv4 Address (The Trigger)

The gateway is only generated when you define how the interface gets its IP.

Go to Interfaces > [Your_WG_Interface].
Set IPv4 Configuration Type to Static IPv4.
Enter the IP address provided by your VPN provider (e.g., 10.2.0.2/32).
The Critical Step: At the bottom of this page, there is a section for IPv4 Upstream Gateway. You must click Add a new gateway right there and enter the remote endpoint’s internal IP (e.g., 10.2.0.1).