Remove the iptables masquerade rule from the post-up and post-down section of the WireGuard configuraiton file.
iptables -t nat -A POSTROUTING -o {{ lan_interface }} -j MASQUERADE
Be sure to stop WireGuard first to remove iptables rules, then change the configuration file and start WireGuard
Add a gateway for the WireGuard server:
- Navigate to System -> Routing: Gateways; Click Add
- Change "Interface" to {{ lan_interface }}
- Enter the "WireGuard" into the "Name" field
- Enter the WireGuard server IP into the "Gateway" field
- Click "Save"
Add a static route for the WireGuard network directing traffic to the WireGuard gateway:
- Navigate to System -> Routing: Static Routes; Click Add
- Enter the WireGuard network into the "Destination network" field
- Change "Gateway" to the WireGuard gateway (from the previous steps)
- Click "Save"
Add a NAT rule for traffic bound for the Internet:
- Navigate to Firwall -> Rules: LAN
- Copy the rule "Default allow LAN to any rule"
- Change "Source" to "Network" and enter the WireGuard network
- Click "Save"
Add a static route for the WireGuard network directing traffic to the WireGuard server:
set protocols static route '{{ wireguard_network_ipv4 }}' next-hop '{{ wireguard_server_ipv4 }}'
Add a NAT rule for traffic bound for the Internet:
set nat source rule 20 description 'Masquerade all outbound traffic from WireGuard'
set nat source rule 20 outbound-interface '{{ wan_interface }}'
set nat source rule 20 source address '{{ wireguard_network_ipv4 }}'
Be sure to commit
the changes and save
the changes after testing
By default dnsmasq (the DNS server used by Pi-Hole) only accepts requests from the local network, meaning that requests from the WireGuard network will be ignored. dnsmasq man
Configure Pi-Hole to accept traffic from the primary interface. Create "/etc/dnsmasq.d/interface.conf" on the Pi-Hole server:
interface={{ interface }}
Restart Pi-Hole systemctl restart pihole-FTL
or docker restart pihole
Create "/etc/dnsmasq.d/local.conf" on the Pi-Hole server:
listen-address=127.0.0.1
listen-address={{ local_network }}
Restart Pi-Hole systemctl restart pihole-FTL
or docker restart pihole