OPNsense Forum
English Forums => General Discussion => Topic started by: ooompa on February 16, 2021, 08:50:07 am
-
For the past few days I have struggled to complete the setup and finally got to the point where I am connected to server I am supposed to, but something isn't right.
1. Per Mullvad's website I am leaking DNS. Under "Leaking DNS servers", it shows both Mullvad's DNS and 1 or 2 of my local IP's DNS addresses.
2. There is constant packet loss (3-10%) displayed in the gateway table in the dashboard menu
3. Some websites, including all of Google, don't load.
Thanks for help.
-
Not sure how you have configured your setup, but this may help: https://forum.opnsense.org/index.php?topic=21205.msg99309#msg99309
-
I tried to set it up using auto-populated public and private keys and it didn't work for some reason. Then I used Mullvad's public and private key pair and it worked. I mean as-is, with DNS not working right.
I will go through your guide and try to set it up like you. And report back.
Thanks!
-
I’ve never used Mullvad myself but based on their Linux script ( https://mullvad.net/media/files/mullvad-wg.sh ) there is an API for uploading your public key and getting the endpoint info. Alternatively they may also have a web interface for managing keys on your account
-
I am still failing :(
Yes, I have used their pair of keys, not the OPNsense's own generated keys (there was no connection whatsoever then).
Should I post the screenshots of my setup for discussion?
-
I tried to set it up using auto-populated public and private keys and it didn't work for some reason. Then I used Mullvad's public and private key pair and it worked. I mean as-is, with DNS not working right.
I will go through your guide and try to set it up like you. And report back.
Thanks!
I don't think your DNS leak is a Key problem.
When the keys are okay - the connection is up
If not it's down.
I think you are routing stuff wrong (not over the vpn).
Please show your fw rules, and gateway config
And a network plan please :)
-
Yeah, I keep trying different guides to fix it and now the connection is down altogether. I bet the config is messed up somewhere. I am very new to this and it looks like about 8 screens have to be set just right to make it work.
I am getting my internet through DSL modem, which is bridged to a thin client running OPNsense and it handles the PPPOE login. Then it goes to a managed switch and to an AP.
Hopefully these are all you will need. I am not worried about my keys as I will change them once this is running.
(https://i.ibb.co/VYdXRFf/OPNaliases.png) (https://ibb.co/DfN3hB0)
(https://i.ibb.co/s3PBXQg/OPNendpoing-WG.png) (https://ibb.co/12nS4K0)
(https://i.ibb.co/zSjsYSj/OPNfw.png) (https://ibb.co/sFkjGFk)
(https://i.ibb.co/P9b3nD5/OPNfwrule.png) (https://ibb.co/X3dNgYz)
(https://i.ibb.co/VwP6xrB/OPNgateway.png) (https://ibb.co/Sf9ScWv)
(https://i.ibb.co/y82yBjy/OPNinterface.png) (https://ibb.co/FBpwqTw)
(https://i.ibb.co/BPJgKPQ/OPNoutbound.png) (https://ibb.co/KGg9zGf)
(https://i.ibb.co/hYFdmyk/OPNportforward.png) (https://ibb.co/5KhjR6d)
(https://i.ibb.co/tDwP6CH/OPNrules-WG.png) (https://ibb.co/qpLF81D)
(https://i.ibb.co/mXJzRLJ/OPNwglocal.png) (https://ibb.co/D84K1x4)
-
Does the Wireguard key exchange work (connection up)?
-
Not sure if that proves it, but there is a key under the handshakes tab.
wg0 01KgzQY+pT7Q+GPUa1ijj0YgdN5owMaK9ViRZO4dIWo= 1613767992
Gateway is offline and shows 100% packet loss.
-
Those firewall/NAT rules look a bit confused to me. Explain what networks you have locally and what you are trying to achieve with them over WG
I also still think the setup is odd in terms of having the same keys locally and on the endpoint
-
For testing purposes and when I have to use WAN connection, I have some of my devices with separate rules to bypass the VPN.
Then everything else goes to VPN.
Not sure if it's set up right. Feel free to criticize :)
-
That still doesn’t tell me what local networks you have
-
Just 1 network, LAN. 192.168.10.x
-
And you want to send all external traffic from that LAN network down the tunnel, or only from some hosts in that network?
-
All traffic, except for Roku. I also want to be able to quickly disable VPN on particular device.
-
OK.
As a starting point you should scrap everything you have done :)
Then follow this tutorial: https://forum.opnsense.org/index.php?topic=21205.0
Two additions to that:
- This guide (https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html) tells you in section 1 how to upload your locally generated public key to Mullvad and get the Mullvad endpoint info. It is the same command as in the script I linked in an earlier post
- To allow specific devices to not use the tunnel, I suggest you define another Alias for the IPs of those devices, and then in your LAN firewall rules you would include a rule for that Alias, but rather than using the WG gateway it would use the default. Then put this above the firewall rule created as per the tutorial (note that in your case, the Alias create for the relevant VPN hosts as per the tutorial would be the entire LAN net, with the new Alias and rule created as per this dot point becoming the exception to that)
For completeness, there is possibly a simpler means of implementing what you want, but I can’t guarantee that it would work. This would involve setting things up as per the OPNsense docs guide above (the one for Mullvad) so that the default is that everything uses the tunnel. Then create firewall and outbound NAT rules for the devices that you want to use the normal WAN gateway. So sort of the reverse of the first setup I describe above. I can’t guarantee that this will work, because it is not something I have tried and I am not sure that just the firewall and outbound NAT rules will override the new default routing of everything using the tunnel