Jump to content
Not connected, Your IP:

ANSWERED pfsense + wireguard port forwarding confusion

Recommended Posts

Posted ... (edited)

Going crazy with this.

To start off, the qbittorrent port forward works with my ISP IP, so the issue doesn't lie within the end machine.

Glossary (redacted values):
qbittorrent machine: (listening on 12345, I can ncat to the port from another machine on the network, ufw is open, also configured incoming connection port in the GUI and restarted the container)
wireguard interface virtual ip:
assigned AirVPN port: 12345

I created a new Wireguard tunnel and interface, assigned it the wireguard virtual IP and added a new gateway.
I have a Wireguard handshake, and doing a `curl ifconfig.me` on the qbit machine returns the vpn exit IP, as it should.

The problem lies with the port forward, I can't seem to get a connection from the web tester.

Comparing my issues to this long thread, https://forum.netgate.com/topic/86926/port-forward-over-vpn-interface/28
I think I might have the same issue, packets originating from the qbittorrent machine lan are going out the AIRVPN_WAN, so why wouldn't packets being sent TO the qbittorrent machine lan be routed back out the AIRVPN_WAN?

Here are the bottom rules in the subnet with the qbittorrent host:
Basically I want only the qbittorrent host to go through AirVPN, and everything else should use regular internet.

Here are the AIRVPN wireguard interface rules with the corresponding aliases (quebec is the qbittorrent machine, and the port is 23456)

What the hell am I missing?

Edited ... by SurchargeNavigate

Share this post

Link to post
16 hours ago, SurchargeNavigate said:

Basically I want only the qbittorrent host to go through AirVPN, and everything else should use regular internet.
What the hell am I missing?

You have not said what OS you are using.

But one of these articles may be helpful:



Although the first says "OpenVPN", it applies to Wireguard too. Or to any other VPN software or VPN provider.

For either Windows or Linux, you need to bind qBittorrent to the VPN network interface address. Did you do that?

EDIT: I apologize . You did say PFSense/BSD.

I have done this for BSD too. But I wrote only a cursory article about it, long after the fact:


In general, my approach is:

1) Let the VPN software add its routing table entries, but then add more routing table entries pointing to the original default gateway, so that the VPN is bypassed by default.

2) Make arrangements for "source address routing". On BSD the "PF" firewall or the" ipfw " firewall can do this.

3) Bind qBittorrent (or other torrent client) to the VPN interface (or address).


Is qBittorrent running on pFSense? Can you do that? Or is qBittorrent running on some other machine? If you only want the VPN for qBittorrent, then I suggest you run it on the machine where qBittorrent is. Then the articles I linked will apply.

Share this post

Link to post
Posted ... (edited)

Qbittorrent is running on a VM behind pfsense. I am configuring a Wireguard connection from my pfsense router to AirVPN. The OS is irrelevant in this equation.

What's weird is everything seems to be working. Qbittorrent shows as connected, but the forwarded port remains closed.

Never mind, after restarting qbittorrent, it's back to firewalled...

To summarize:

1. VPN is working from inside the network:

2. In the subnet in which the qbittorrent VM resides, I made a firewall rule that routes traffic only from the qbittorrent VM to the AirVPN gateway (AirVPN_hosts is an alias for hosts that I want routed over VPN):

3. Port forward to qbittorrent, I just use the same port on qbittorrent as I was assigned on AirVPN.

4. Which creates the following rule automatically (on the AirVPN interface tied to wireguard):

5. I also added an outbound NAT mapping for all hosts that are in the same subnet as the qbittorrent VM, although only the qbittorrent VM will be routed over VPN (Shown in 2.) - Although it seems this mapping does nothing, everything seems to work the same without it.

Here's a (redacted) packet capture of the AIRVPN wireguard interface with the port filter I'm trying to forward (12345):
wireguard virtual interface IP:
VPN exit IP:

16:11:02.739452 IP > UDP, length 104
16:11:03.578393 IP > tcp 0
16:11:04.579201 IP > tcp 0
16:11:05.581204 IP > tcp 0
16:11:06.595203 IP > tcp 0
16:11:06.595560 IP > tcp 0
16:11:07.583776 IP > UDP, length 20
16:11:07.584421 IP > tcp 0
16:11:08.611245 IP > tcp 0
16:11:08.611321 IP > tcp 0
16:11:10.627204 IP > tcp 0
16:11:10.851284 IP > tcp 0
16:11:11.589916 IP > UDP, length 20
16:11:12.590962 IP > tcp 0
16:11:12.643203 IP > tcp 0

Doing the same capture on WAN shows that the wireguard virtual IP is trying to go out WAN instead of the VPN exit IP, WTF, WHY?
10:40:26.882403 IP > tcp 0
10:40:34.952699 IP > tcp 0
10:40:44.174485 IP > tcp 0
10:40:45.178277 IP > tcp 0
10:40:46.184785 IP > tcp 0
10:40:47.194791 IP > tcp 0
10:40:47.216824 IP > tcp 0
10:40:48.232710 IP > tcp 0

Here's the capture on the interface within which the qbittorrent VM resides:
qbittorrent VM:
VPN exit IP:
?: (maybe another exit IP?)

16:16:08.934998 IP > UDP, length 20
16:16:11.938915 IP > UDP, length 20
16:16:11.939241 IP > UDP, length 20
16:16:14.941980 IP > UDP, length 20
16:16:17.944860 IP > tcp 0
16:16:18.946734 IP > tcp 0
16:16:20.962945 IP > tcp 0

Yet I seem to be overlooking something...

Edited ... by SurchargeNavigate

Share this post

Link to post

Holy f**k.

The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first...

Hope this helps someone else as well.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...