I have spent some time looking into this and concluded that
It is unsafe to meddle with Roadwarrior-type profiles on Net-2-Net configuration as this can open your network to unsolicited internet traffic.- Selectively tunneling a local subnet over VPN is a use case in itself, and is not supported by the current IPFire WireGuard design
To summarise the goal, we are looking for a way to have
- Traffic from the Blue Zone (192.168.2.0/24) exit to the internet via the VPN tunnel.
- Traffic from the Green Zone (192.168.1.0/24) and the firewall itself use the primary WAN connection.
- Local services on the firewall (DNS, DHCP) must remain accessible to all internal clients.
Therefore a solution should
- Read the VPN provider’s Wireguard config file
- Set up the
wginterface and gets the tunnel activated - Set up the routing and routing policies,
- in my case
blue0→wg→VPN server→inet
- in my case
- Set up the NAT & Forward policies, while preserving the security of ipfire
I have put a more detail explanation on why net-2-net won’t work along with the script that can get your subnet tunneled over VPN to
- your Wireguard Server
- your VPN service provider
The solution aims to remain within the bounds of ipfire’s current design/architecture, therefore it can be adjusted so we can take advantage of ipfire’s Firewall WebUI to create rules for toggling VPN tunnelling on/off across a subnet of our preference.