Reach Proxmox host from remote LAN (wireguard, OPNsense)

A

Antijurist

New Member
Jun 8, 2026
14
0
1
Hello,

I have a dedicated server where Proxmox is running in a VM (OPNsense). There I configured Wireguard (including site to site (to site)). All LAN devices from all LANs reach each other vice versa. So far, so goof. I can also reach the Proxmox host at its LAN IP from the Proxmox LAN. Unfortunately, I can't reach the Proxmox host from the remote LAN devices at its LAN IP.

I assume, this could have something to do with the settings regarding the standard gateway. I may be totally wrong, though.

I configured two bridges (one for WAN, one for LAN). I set the external gateway on the WAN bridge. Therefore, I can't set a gateway on the LAN bridge additionally.

I use an additional IP to reach OPNsense from outside (WAN).

How can I achieve to reach the Proxmox host from the remote LAN?
Should/may I remove entries from the WAN bridge settings and do I have to set the local gateway on the LAN bridge?

I hope, I could describe the issue clearly enough.
 
One thing I'd check is whether the remote LAN subnet is actually included in the WireGuard tunnel configuration on both sides. I've seen cases where the tunnel itself is up, but traffic never reaches the destination because the network isn't listed in the AllowedIPs settings.

It may also be worth verifying firewall rules on OPNsense. Even with correct routes, traffic can get blocked if the WireGuard interface or LAN rules don't explicitly allow communication between the networks.

A quick ping and traceroute from both ends can usually help narrow down whether the issue is routing, firewall related, or something else. Is the tunnel fully established and are you able to reach any other devices across the VPN?
 
Thank you for your reply.

As I pointed out everything works in general. Devices can reach each other. Communication between networks works fine. The only thing that doesn't works is to teach the proxmox host itself on its LAN IP from the remote LAN. So this must something to be done on the node.
 
I installed WireGuard on PVE too, so I have two tunnels to that location: One to PVE alone and one to the Router-VM. Good thing is, I can reach PVE even if the Router-VM has problems.


Otherwise you will have to set static routes in PVE, which I don't recommend. Also you have to connect one LAN from the Router-VM to a "LAN"-Bridge on PVE...
 
Last edited:
Or you could make a static route on your local-router towards your Router-VM, then it should go there. So I guess it would help if you show a Network Diagram for your local and your remote network and what you are using there.
 
You must log in or register to reply here.
Top Bottom
Back