Vyos 1.5 How to policy route LAN out privacy VPN?

xTITUS_MAXIMUSx · February 4, 2026, 7:45pm

I have been banging my head on the wall for days now trying to figure out how to route some of my LAN hosts out a privacy VPN using wireguard. I have read a lot of the docs over and over and I have to be missing something. Here is my config. If anyone sees any issues, please let me know. I feel like I am at a loss.

show protocols static table 
 table 100 {
     route 0.0.0.0/0 {
         interface wg1 {
         }
     }
 }

show policy route PrivateVPN 
 interface eth1
 rule 100 {
     set {
         table 100
     }
     source {
         address 192.168.99.110
     }
 }

show nat source rule 100 
 description "LAN out WG1"
 outbound-interface {
     name wg1
 }
 source {
     address 192.168.99.110
     group {
     }
 }
 translation {
     address masquerade
 }

I notice this when I I tried to see if it was apply the policy at all.

ip route get 1.1.1.1 from 192.168.99.110 iif eth1
1.1.1.1 from 192.168.99.110 via 100.64.64.1 dev eth0 
    cache iif eth1

tjh · February 5, 2026, 3:33am

If you do a TCP dump on the wg1 interface, do you see packets egressing it? If so, are they non-nat’d?

This forum post appears to discuss pretty much your problem.

xTITUS_MAXIMUSx · February 5, 2026, 2:09pm

Had a facepalm moment. It was actually a configuration error with the wireguard tunnel itself. Even though it was saying it had a handshake I had the private key wrong which then the privacy VPN was rejecting traffic. The config I posted was working properly.

You were also right in that I didn’t need a NAT rule at all because it is going directly out the WG interface. Thanks for help.

echowings · February 5, 2026, 3:32pm

did you set the destination in the policy route? and check wiregaurd allow 0.0.0.0/0, more over check the firewall policy please.

tjh · February 5, 2026, 5:02pm

I had my own PBR facepalm moment, don’t worry!
Glad you got it sorted.