Wireguard Full Tunnel - Client Behind Double NAT

I am looking for some help. I was able to setup a Wireguard Remote tunnel between two pfSense routers. I did not need tunnel to tunnel, really just needed to be able to route all traffic through the Server IP.

The client pfSense (Remote) is behind the ISPs ONT/Router (Double NAT situation). It appears that everything is setup appropriately as the handshake between the the Server (Home) and Client (Remote) get the handshake without issue, however the IP address displayed is still that of the Remote site. The Allowed IPs on the client Peer is set to

A few things of note:

  • HOME: Outbound NAT rules were added to accomodate the Allowed IPs on the HOME (ex.
  • HOME: Rules were established for both WireGuard to allow traffic and WAN to allow the listening Port to HOME
  • When looking at the WireGuard status on HOME the connected peer has a Public IP and Port that is different from the definied listening port. Both Listening ports are the same on the Remote and Client (although I don’t think that matters.)
  • The public ip is shown for REMOTE within the WireGuard status on HOME

I am not sure why the handshake would be working fine and internet working, however the ip address is still that of the REMOTE vs the HOME.

I hope this all made sense .

Christian McDonald who is a developer for pfsense has a video on the topic going over how to set it up.