OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Chrome on October 31, 2022, 09:46:33 pm
-
Just wondering if any members have been successful in getting connected to Proton's VPN service using Wireguard with their OPNsense boxes?
They have support currently for PFsense...but make no mention of OPNsense. Surely, OPNsense's userbase would be big enough for them to warrant support?
What's everyone thoughts?
-
WireGuard is WireGuard. If it works on pfSense it should work on OPNsense
This may help: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
-
I was able to get OPNsense and ProtonVPN working, but, it wasn't as easy as Mullvad, or any other WireGuard setup.
The primary differences that I encountered -- basing my setup off of the Mullvad example in the Docs for OPNsense, including https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html and https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html were:
- Setting the local IP address of my Gateway to 10.2.0.1 - but note that this breaks some things as ProtonVPNs setup uses this IP address for the DNS server. If you need their DNS for your WG setup, you may want to set it to 10.2.0.250 or something else not likely to cause an issue
- ProtonVPN, unlike Mullvad or other WG implementations, does not give you your public key. It does give you the private key in the web UI briefly, but, you WILL need to use the "wg pubkey" command (cli, on your OPNsense or wherever else you have WireGuard installed, to obtain the public key from the private key and enter BOTH into OPNsense
It's the setting of the Gateway IP (on your OPNsense box) in a few places that is important to get right, as well as all the other steps outlined in the Mullvad example. It's a lot of steps, and read carefully as there are a few gotchas.
In the end, I was able to get it working just fine, but it was more picky than other setups.
-
@Koloa Thanks for the direction.
I think I've got the connection with Proton going. I can see the handshake and the status in the WG section of the VPN category. About 5MB received and 10MB sent over the last day or so.
The part I don't think I've got straight is the IPs for the gateway. and the "gotchas" you mentioned in your post.
I do have PIA working with a small subnet of machines being routed via the WG gateway. So, I do have a working example to pull from.
Back to Proton, I've set the gateway IP to 10.2.0.1 in the Gateway -> Single. Was this incorrect? I've tried 10.2.0.2 and 10.2.0.250...none of them seem to work.
When I use 10.2.0.1 the gateway is UP.
Any ideas?
-
What works for me (and your kilometerage may vary), is:
VPN -> WG -> Local -> Proton -> Tunnel Address = 10.2.0.2 (this was in the .conf from Proton)
VPN -> WG -> Local -> Proton -> Gateway Address = 10.2.0.1
VPN -> WG -> Local -> Proton -> Peers = Whatever endpoint you selected in the .conf generator at Proton - note that you can't fill this field out until you first go to VPN -> WG -> Endpoints and define one.
VPN -> WG -> Local -> Proton -> Disable Routes = ON
For the Endpoint for Proton, I'm permitting 0.0.0.0/0 as AllowedIPs.
Once you've done the above, you will have to make sure you've clicked "Apply" a few times, as well as stopped and restarted WireGuard. I've found the best way to do that is NOT from the Dashboard (has not worked for me reliably), but, turning of WG via VPN -> WG -> General, untick, apply, tick, apply.
Before you can set the Single Gateway, you also have to make sure you have enabled the wg Interface for the new connection, and it's not enough just to assign it, you have to make sure it is enabled.
You do this in Interfaces -> Assignments, and from the dropdown select your new WireGuard connection, then click on the Plus symbol to the right, then Save.
Then go BACK to Interfaces and select the new Interface, make sure you've got a good description for it, enable it, and click on Save. In my case, I make sure that the blocking of private/bogon addresses is disabled.
Then you can go over to System -> Gateways -> Single and define your GW_Proton (or whatever you want to call it).
In my case, it's set to:
Interface: Name of interface from the just defined list in the previous step
Address Family: IPv4
IP address: 10.2.0.1
Disable gateway monitoring: OFF
Far Gateway: ON
Upstream Gateway: OFF
Monitor IP: 9.9.9.9 Bad choice, makes it seem highly latent where I live, but, it works)
And then click on Save.
Now, with this configuration, the way I understand it, the "disable routes" option in the definition of the Local endpoint means that it won't install the 0.0.0.0/0 as a route in the routing table for effectively the default. This means that you will HAVE to use policy based routing to use the Proton VPN tunnel. You may not want it configured this way, but I did.
From there, you still need to configure outbound NAT rules for this interface, as well as any policy based rules which decide which of your LAN hosts you want to route traffic over the GW_Proton gateway.
Of course, you also have to make sure those routing rules are placed in the right spot in your list of rules...
Hope that helps get you a bit closer!
-
@Chrome, I did the proton vpn setup like @koala outlined and it works fine since Proton made the WG configurations available. The only problem that I have (since switching from Proton OpenVPN to WG) is that the OPNsense system updates and bogon ip updates time out. When I stop WG, the updates go through smoothly.
-
@koloa WOW! That's a great walk though... the best I've seen for Proton and their WG. My issue was more with the creating of the keys and doing that via the CLI. Once I did that properly, WG connected nicely. The routing part seems to be working just fine, now that I switched to the NL servers.
The CLI command: wg pubkey < private > pub
was "KEY" for me. :-)
I am having issues more with the server (US ones mainly)...the Netherlands ones seem to work better for me. Having said that, I am on the free account... using the free servers...so, fairly certain that might have something to do with it. Looking to switch over to the paid version.
Thanks so much for the write up... I hope many others can benefit from it.
My 2 issues was creating the keys correctly...and didn't seem to have much luck getting a working connection to a FREE US server... it works MUCH better to a FREE NL server. Haven't tested a JP one yet.
-
@Chrome, I did the proton vpn setup like @koala outlined and it works fine since Proton made the WG configurations available. The only problem that I have (since switching from Proton OpenVPN to WG) is that the OPNsense system updates and bogon ip updates time out. When I stop WG, the updates go through smoothly.
@ckishappy Thanks for the tip. I'll keep that in mind for the next update.
-
Getting about a 50% - 80% packet loss on the NL server I picked. No packet loss to any other gateway. Leaning towards the free server being the issue.
-
hmm, yes makes sense to try the other (not free) servers as there should be no packet loss. The servers NL#227 - NL#252 seems to be not that loaded in the NL..
-
So, the free servers go up to #158 for NL.
I was able to find a stable server for about 12 hours...so, that gave me a good chance to test and correct. The "stable" server has now gone to 100% packet loss overnight. Was at 0% packet loss yesterday. Anyway...
DNS resolution was causing an issue yesterday for a bit... I tried a couple of firewall rules...but couldn't get that working. So, as long, I manually insert a DNS server (1.1.1.1 or 9.9.9.9 or 10.2.0.1) on the workstation, then resolution is fine. If I add a DNS server (incluing 10.2.0.1) to the static DHCP lease... then it also works.
If leave it defaulted to the router's IP for DNS resolution...then it fails.
Couldn't spend anymore time yesterday to figure it out...but I am sure, I am just missing a small something in the firewall rules.