OPNsense Forum

English Forums => Virtual private networks => Topic started by: chbmb on November 24, 2019, 04:29:31 pm

Title: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on November 24, 2019, 04:29:31 pm
So I recently migrated to OPNsense from Pfsense, I'm very impressed and glad I made the switch.  I've been experimenting with WireGuard a fair bit and have written a couple of blog posts on my progress so far with an OPNsense WireGuard "server" and Android and Ubuntu desktop "clients", so my next step was to try and setup Mullvad as the "server" and OPNsense as the "client"

I've been referencing the guides below:

https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html
https://wiki.opnsense.org/manual/how-tos/wireguard-client-azire.html
https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/

I can get the tunnel up, as evidenced here. (wg1, wg0 is my "WireGuard server for connection to my LAN remotely." and am using a custom port to receive the incoming connection.

(http://i.imgur.com/B08X9vg.png) (https://imgur.com/B08X9vg)

(http://i.imgur.com/5VOnnXp.png) (https://imgur.com/5VOnnXp)

(http://i.imgur.com/n2NtyXS.png) (https://imgur.com/n2NtyXS)

(http://i.imgur.com/DSbzWCL.png) (https://imgur.com/DSbzWCL)

(If I do not disable routes then I find all my internet access from LAN disappears.)

Undeterred I figured some manual routing would work and give me more granular control over things, so I created an interface.

(http://i.imgur.com/tVALevh.png) (https://imgur.com/tVALevh)

and added a firewall rule

(http://i.imgur.com/uGWB1H6.png) (https://imgur.com/uGWB1H6)

But traffic is still going out over WAN, rather than the Mullvad interface.  I tried to create a gateway, as shown here

(http://i.imgur.com/paBNfPC.png) (https://imgur.com/paBNfPC)

and can manually bring it up, by clicking on the grey arrow, although I'm not sure how having the gateway really changes anything given my existing NAT rule.

(http://i.imgur.com/rooazxp.png) (https://imgur.com/rooazxp)

I'm obviously missing something, but I'll be damned if I know what, and if anyone can give me some pointers I'd be very grateful indeed.

Sorry for the lengthy post/pictures, but figured it would be better to have too much information, rather than not enough.

Thanks

C
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on November 24, 2019, 05:20:12 pm
You need to put an IP address into gateway and also add this IP in gateway field in local instance. Then you can do routing via Firewall rules
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on November 24, 2019, 05:28:13 pm
You need to put an IP address into gateway and also add this IP in gateway field in local instance. Then you can do routing via Firewall rules

Forgot to mention that I'd tried that and got the error message:

Quote
"The gateway address "10.249.0.1" does not lie within one of the chosen interface's IPv4 subnets."

So the thing that confuses me, is which IPV4 subnet is applicable to the Mullvad interface?  Another IP in the same range as the tunnel address?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on November 24, 2019, 05:40:58 pm
Ah, OK, added the IPV4 tunnel address on my local Mullvad WireGuard instance as the Gateway IP.  That worked.

I'm still not getting my traffic routed over the interface though, so presumably I need to add another rule in somewhere?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on November 25, 2019, 05:55:37 am
Firewall rule in LAN tab and add there the mullvad gateway :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on November 27, 2019, 04:43:32 pm
Sorry, I'm probably being stupid here, I've tried doing as you suggested.  Something happens, basically any traffic in my browser is redirected to my OPNsense install.   :o

I've put a gateway IP into the local instance
(Doesn't work if I leave out the /32 - tunnel doesn't come up or show in "List configuration")

Local Instance

(https://i.imgur.com/PiD0kis.png)

Endpoint

(https://i.imgur.com/nv7dwMG.png)

List Configuration

(https://i.imgur.com/QJvfqPY.png)

I've created the interface for Mullvad

(https://i.imgur.com/hglv8lL.png)

And then a gateway with the assigned IP of the tunnel address of the local instance

(https://i.imgur.com/SD75l0M.png)

(https://i.imgur.com/Nwf24ba.png)

So I think everything up to this point is good.  :D

I'm going to guess it's the following bits that have me confused, as I'm clearly missing something, and I'm sure those wiser than me will laugh at my mistake......

I've got an Outbound NAT rule

(https://i.imgur.com/vtlBKc0.png)

A Mullvad NAT Rule

(https://i.imgur.com/RhcTysj.png)

And finally a LAN Firewall Rule (deactivated at the moment as enabling it results in everything redirecting to my OPNSense address. 

(https://i.imgur.com/61L7LI9.png)

Really appreciate the advice.  Sorry for another lengthy post.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: actionhenkt on November 28, 2019, 10:59:23 pm
I have tried to get this working with mullvad aswell, got it working once for 10minutes. I will try again this weekend if I can get it stable I can share the configuration with you.

I noticed you use hybrid nat on your wan and your source on it is any, the auto nat rules also contain your mullvad interface on wan, im not sure the manual nat rule for the mullvad interface will work here.. have you tried manual outbound nat ? I would also then remove the source "lan net" from your lan rule and make it source any and put the mullvad gateway back into your lan in rule to test if it works at all (if it does you can try an alias containing ip's as source next). You could also try to set a local tag on the lan in rule and match the tag on the outbound nat rule for the mullvad interface (in a manual nat configuration).
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 01, 2019, 01:13:27 am
I have tried to get this working with mullvad aswell, got it working once for 10minutes. I will try again this weekend if I can get it stable I can share the configuration with you.

I would be very grateful.   ;D

Quote
I noticed you use hybrid nat on your wan and your source on it is any, the auto nat rules also contain your mullvad interface on wan, im not sure the manual nat rule for the mullvad interface will work here.. have you tried manual outbound nat ?

I haven't tried manual outbound NAT, I thought with hybrid that rules were applied in order from top down.

Quote
I would also then remove the source "lan net" from your lan rule and make it source any and put the mullvad gateway back into your lan in rule to test if it works at all

Unfortunately, it still didn't work

Quote
(if it does you can try an alias containing ip's as source next). You could also try to set a local tag on the lan in rule and match the tag on the outbound nat rule for the mullvad interface (in a manual nat configuration).

It's my end intention to make it a bit more granular in terms of clients that use the Mullvad tunnel, just figured making it as simple as possible to start with.

Not that it's been as simple as I'd originally hoped.....

Thanks for the reply, if nothing else it's reassuring to know others have had difficulty too....
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: tusc on December 03, 2019, 10:20:59 pm
Count me as another user trying to get wireguard to work with policy based routing. I tried months ago with no luck. Hopefully someone figures it out.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 04, 2019, 01:41:03 am
Count me as another user trying to get wireguard to work with policy based routing. I tried months ago with no luck. Hopefully someone figures it out.

Well that's three of us that are struggling!  If nothing else you've made me feel better about not being able to get it working.

Perhaps I'm not quite as dumb as I thought!   ;D
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on December 04, 2019, 05:53:35 am
Can you ping me via IRC? I can have a look via Teamviewer
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 04, 2019, 08:48:02 am
Can you ping me via IRC? I can have a look via Teamviewer
Yeah, will do when I get back from work and we'll try and work out a time.  Thanks for that!

Sent from my Mi A1 using Tapatalk

Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: spants on December 04, 2019, 08:01:16 pm
Count me in as another user trying to do the same!.
I have everything running on PIA OpenVPN (including routing for ports/devices) but wanting to switch to Mullvad Wireguard after the recent news.....

I have the wireguard server running on my opnsense - it's awesome!

(hi CHBMB - from another unraid guy!)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on December 04, 2019, 08:06:23 pm
I fixed it with him, he will write a guide
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 04, 2019, 08:45:50 pm
Count me in as another user trying to do the same!.
I have everything running on PIA OpenVPN (including routing for ports/devices) but wanting to switch to Mullvad Wireguard after the recent news.....

I have the wireguard server running on my opnsense - it's awesome!

(hi CHBMB - from another unraid guy!)

Hello mate, I recognise the name!

I fixed it with him, he will write a guide

You did, I'm still fiddling with a few things which I think are DNS related.  But yeah, definitely able to get stuff routed down the tunnel now.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 07, 2019, 01:49:36 pm
Ok.....

So this is unfortunate.....

I broke my first rule of documenting stuff and backing it up  before doing anything else.  Unfortunately, I suffered a power cut to the house not long after mimugmail was kind enough to teamviewer in and help with this.

My config got hosed and I'm trying to recreate it, but am completely unable to resolve any addresses.

I did save the messages between myself and mimugmail at the time, so all is not lost, so if anyone else wants to try this here are the brief instructions.

Quote
In sum, pick a random IP like 1.2.3.4, add it to endpoint in addition to 0.0.0.0, add it to gateway in local instance and hit disable routes, assign wg interface, add a gateway with ip 1.2.3.4 and far gateway, then create firewall rules with 1.2.3.4 as gateway.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: spants on December 15, 2019, 05:14:06 pm
I'm still having problems getting this running ...... anyone have a step-by-step ready for this I would be grateful!
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 15, 2019, 06:30:58 pm
Where have you got to with it?  Perhaps we can figure it out together?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: spants on December 15, 2019, 08:45:38 pm
Thanks for the offer.... I just got it working.

I made a stupid mistake: in the servers list, I used the multihop Port instead of the standard port!
Juts now changing all my Rules to use Wireguard instead of PIA

Thanks again for the offer of help.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 15, 2019, 09:48:59 pm
Thanks for the offer.... I just got it working.

I made a stupid mistake: in the servers list, I used the multihop Port instead of the standard port!
Juts now changing all my Rules to use Wireguard instead of PIA

Thanks again for the offer of help.

Well if you'd care to share, I still can't get it working!  ;D
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: spants on December 15, 2019, 11:16:59 pm
sent a pm - let me know if it make sense and works first so that we can do a proper writeup!
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 16, 2019, 12:03:21 am
Will do.  I'm clearly missing something.   I'm getting very close to a nuke and pave.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: ownerer on December 16, 2019, 08:30:00 pm
Typical, I reply (https://forum.opnsense.org/index.php?topic=14031.msg69736#msg69736) to a thread I found via google, only to find this thread afterwards...

Another one here trying to get this to work!
Anxiously waiting to see that write-up guys! ;D
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on December 20, 2019, 05:00:22 pm
Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: ownerer on December 20, 2019, 05:40:01 pm
It's not that hard to get this running :)

Well that's what I would expect, yes!  :P

But I have done all of this over 10 times already, to no avail. Traffic simply. will. not. pass.
I've tried creating the interface both without and with IP address (the local tunnel address), nothing.
(note btw that you have restart the Wireguard service after creating the interface. If I don't and I try to create the gateway on the interface, I get an error saying no valid IPv4 config was found on the interface...)

And it's not like I haven't done this before.
I have policy based routing set up and working with PIA, monitored gateways, failover etc

So why this won't work is beyond me  :-\

So perhaps it's best to really take the Wireguard for Dummies approach here and start at the very beginning:
Is there any way to verify that the tunnel is actually up, regardless of routing?

Edit: requested screenshots
(https://i.ibb.co/3WSkMd4/2019-12-20-17-49-17-Wire-Guard-VPN-OPNsense-localdomain.png) (https://ibb.co/CvVWM8m)
(https://i.ibb.co/mvj6T8N/2019-12-20-17-49-43-Wire-Guard-VPN-OPNsense-localdomain.png) (https://ibb.co/0B7h2ts)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: zgQTSf2PHyHt on December 23, 2019, 06:33:14 am
I spent a few hours trying to get this to work with no success. I currently have manual policy routing with OpenVPN on a subset of VLANs, and I only managed to get that working by pushing routes in the custom options field. I followed all the available advice and forum posts and also mirrored my known good OVPN VLAN FW rules, NAT, gateway settings, ect with no success.

What's the deal with this? 
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on December 23, 2019, 12:52:21 pm
@ownerer: if you want to start from scratch, disable OpenVPN stuff and do a packet capture on the WG interface to check if packets are traversing the tunnel. I need screenshots of FW rules and outbound NAT. The interface has to be with no ip configuration and if you touch it you need to restart wireguard
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: chbmb on December 24, 2019, 01:34:57 am
@ownerer: if you want to start from scratch, disable OpenVPN stuff and do a packet capture on the WG interface to check if packets are traversing the tunnel. I need screenshots of FW rules and outbound NAT. The interface has to be with no ip configuration and if you touch it you need to restart wireguard

Hi mimugmail, I think a few of us are finding this more difficult than expected.  I'm a bit tied up at the moment as very busy at work and second child arriving fairly soon, I was wondering, would it help if I donated a month or two of Mullvad to you?  If nothing else so you can illustrate the firewall rules required, Let me know and I'll quite happily do so.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: ownerer on December 30, 2019, 08:06:36 am
Sooooooo, this is embarrassing...

Mullvad used to offer 3 hour trial accounts, turns out they aren't anymore.
Yours truly here was testing with an unpaid account under the assumption that those trials were still being offered.  ::)

I only realized they weren't anymore when I stopped trying to get it to work on OPNsense and decided to test a single Windows client first instead.
Sigh.

You know what they say: assumptions are the mother of all f***ups.

So anyway, just wanted to share that piece of wisdom, and confirm that policy-based routing IS indeed working the way mimugmail has been trying to tell us. (sorry man!!)
I didn't have to do anything special.

I personally have it set up now with gateway monitoring in a gateway group as Tier 1, with PIA OpenVPN serving as a failover in Tier 2.

But to re-iterate the setup for those interested:


Hope this helps someone!  :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on December 30, 2019, 10:02:18 am
Mostly the reason why it doesnt work is an additional OpenVPN where the settings "dont pull routes" or "dont add routes" is not correctly set
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: heri16 on January 20, 2020, 09:31:17 am
I am trying to get an IPv6 gateway up but the default gateway settings only accepts an ip address like 1.2.3.4, but not an ipv6 address at the same time.

Is this feature missing?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on January 20, 2020, 10:32:53 am
Which exact field do you mean?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mdbraber on January 20, 2020, 12:43:57 pm
Thanks for these steps. They didn't work for me from the start, but when I changed Allowed IPs to "1.2.3.4/32,0.0.0.0/0" it worked (note the /0 with 0.0.0.0!)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Ryssk on January 29, 2020, 07:22:51 pm
Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running :)

Hi! I've tried to follow your instructions as you've mentioned. But somewhere along the way there seems to be a problem , and i think it's due to Firewall rules.

I just cant seem to be able to push my specific client through the Wireguard Interface by using the Gateway.

I've tried to reach you through IRC but i guess we're on different timezones and just going past each other at this point :)

Hopefully i can get in contact with you somehow, cause i know it's propably a simple and small step that i've missed along the way!
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Ryssk on January 29, 2020, 08:30:35 pm
Here's the wg0 interface config, gateway setup, LAN rule and Outbound NAT rule

It's propably in LAN rule or Outbound NAT rule i've missed a certain setting.

Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on January 29, 2020, 08:55:23 pm
Which network is LAN and what is the content of the Alias?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Ryssk on January 29, 2020, 09:08:32 pm
Which network is LAN and what is the content of the Alias?

If you mean by Network interface it's Vtnet1, if not it's 192.168.1.1 otherwise

Content of alias is just a single host, and that's 192.168.1.144 which is my laptop that i use for the purpose of only testing atm (easiest way for me to verify by using the Mullvad tool to check that it's using the VPN tunnel)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: ownerer on February 04, 2020, 11:52:31 am
I have a new issue with Wireguard/Mullvad policy-based routing.
I created a separate topic here (Policy-based Wireguard(/Mullvad): firewall rules ignored when gateway is down) (https://forum.opnsense.org/index.php?topic=15732.0) as to not hijack this one.
But I thought I'd mention it at least.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: firewall on February 17, 2020, 09:38:09 pm
Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running :)

i'm trying to understand why it's necessary to use public/routable IP, 1.2.3.4, for this setup, and moreover, why that's the only solution. it seems like a hacky (if not dangerous) approach. 
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on February 18, 2020, 05:34:17 am
Because OPNsense needs an IP as Gateway but WireGuard uses just a destination interface. You can also use a private unused IP
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: murmelbahn on March 05, 2020, 07:49:30 pm
Ok.....

So this is unfortunate.....

I broke my first rule of documenting stuff and backing it up  before doing anything else.  Unfortunately, I suffered a power cut to the house not long after mimugmail was kind enough to teamviewer in and help with this.

My config got hosed and I'm trying to recreate it, but am completely unable to resolve any addresses.

I did save the messages between myself and mimugmail at the time, so all is not lost, so if anyone else wants to try this here are the brief instructions.

Quote
In sum, pick a random IP like 1.2.3.4, add it to endpoint in addition to 0.0.0.0, add it to gateway in local instance and hit disable routes, assign wg interface, add a gateway with ip 1.2.3.4 and far gateway, then create firewall rules with 1.2.3.4 as gateway.


Wow thank you man! This was really helpfull. Finally I'am able to create rules for devices to use Mullvad! Thanks!
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: keviiin on April 18, 2020, 07:00:05 pm
Hello guys, could anyone send  the final configuration file/screenshots of all modified settings please?

I still can't get it working...

Thanks in advance !

Kevin
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: rtester on April 20, 2020, 03:21:03 am
There's an official guide at https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html (https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html) that seems to work for me. Screenshots of my config attached. Ignore the fact that my default allow rule allows to everything but this firewall, the different naming or the fact it's on an entirely seperate interface from LAN. This is specific to my configuration and is to prevent PCs on the VPN network from accessing any possible administration interface. Other than that, this seems to work without leaking for me. If anyone knows how to change my configuration to allow failover (multiple wireguard VPNs, etc) that would be nice. So far I have a static route for the first VPN, and I'm assuming to use two different routers I need to add a static route for the other router (not connected yet) to connect to another VPN over the second WAN.

Does anyone know if the same key for Wireguard works on multiple servers at the same time, or the effects of doing so? Unsure if traffic can cross from one WG peer to another in the same group, and would rather not risk it. If it doesn't, and the same key does work, I could probably get away with the same rule for two or more WG connections on the same router.

PS:
If you need the wireguard port for mullvad, try connecting to the exact same server you plan to connect your OPNSense to in the official client and see what port it uses on "IN"

When running this command from the tutorial:
Code: [Select]
curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey=pubkeyDo it like this instead to escape the pubkey, as it might contain symbols that confuse the shell:
Code: [Select]
curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey="pubkey"
Also, you'll probably need to enable SSH with pubkeys to access the shell (and make sure it only listens on LAN). Couldn't find it in the web interface.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: murmelbahn on May 23, 2020, 10:54:45 am
One more thing I have to ask. Everything is working now with my setup - thanks to this topic. But one little thing is to improve. How can I configure that a client which is using the VPN gateway does not get any connection to the internet if the gateway is down?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: cyrus104 on August 09, 2020, 08:35:06 am
I would also like check for anyone with full pictures of the configs minus their key info.

Like the majority of people here I've been running all my traffic or individual VLANs through an OpenVPN server and don't have an issue with it. I've tried to follow the guides listed in the manual and have several issues with things missing or labeled wrong.

The manual below doesn't say anything about the Interfaces section or the Gateways:Single section.
https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

For instance in the NAT Outbound rules you are told to use the Interface: Wireguard... what's the different between this interface that exists that I can't see anywhere else and the actual Interfaces interface with a name that was given like "Mullvad_Wireguard" which also shows up in the list.

I also have the named "Mullvad_Wireguard Interface in the Firewall:Rules and the "WireGuard", not sure what this means or where it comes from as I'm looking at having multiple Wireguard connection which will need different rules.

From the manual: "To do this, go to System %u2023 Gateways %u2023 Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic." In Gateways:Single there is no option to set it as Dynamic.. maybe meaning in the actual interfaces section.

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: cdine on August 23, 2020, 08:41:58 am
[...]

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.

I'm at the same spot - everything on the Wireguard side is working, but I cannot get traffic to route to it via policy routing, and the opnsense gateway responds to pings/etc when I would expect those packets to traverse Wireguard, for example:

Code: [Select]
$ netstat -nr -f inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 ens192
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens192


$ ping 8.8.8.8 -c1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.201 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.201/0.201/0.201/0.000 ms

Have others who ran in to this figured out what the issue is? I haven't seen this behavior using similar setups with OpenVPN and the like.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: sleepnow75 on September 01, 2020, 01:13:29 am


[...]

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.

I'm at the same spot - everything on the Wireguard side is working, but I cannot get traffic to route to it via policy routing, and the opnsense gateway responds to pings/etc when I would expect those packets to traverse Wireguard, for example:

Code: [Select]
$ netstat -nr -f inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 ens192
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens192


$ ping 8.8.8.8 -c1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.201 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.201/0.201/0.201/0.000 ms

Have others who ran in to this figured out what the issue is? I haven't seen this behavior using similar setups with OpenVPN and the like.

You're not alone --  I'm experiencing the same symptoms.  Have yet to find a solution.   

It appears to work fine if you untick 'Disable Routing' at which point all traffic flows through the VPN which isn't what we're trying to accomplish. 
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 01, 2020, 06:14:25 am
Screenshots?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: sleepnow75 on September 02, 2020, 03:42:25 pm
Got it all working with NordPVN,  I still need to work though my DNS issues, but once I've nailed that then I'll include some shots.   

Big thanks to mimugmail.

This did it for me:
1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 02, 2020, 03:59:41 pm
Got it all working with NordPVN,  I still need to work though my DNS issues, but once I've nailed that then I'll include some shots.   

Big thanks to mimugmail.

This did it for me:
1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.


There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: sleepnow75 on September 03, 2020, 02:22:13 am
Quote
There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

Hmm, I started off with that very configuration without much luck. Rules were ignored until I added that gateway IP everywhere.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: franco on September 03, 2020, 11:56:04 am
I'm moving this thread to general discussion since we are closing this 19.7 archive.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 11:51:51 am

Quote
There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

I've been trying to follow all of the alternate ways people are getting this to work but having no luck.

Is the option you are talking about the same as 'Dynamic gateway policy' to tick?

I initially added the gateway in this way and it would never start, it shows up as 'defunct ' with no address, even though the wg link is up, so giving it an IP of 1.2.3.4 actually seemed to be progress, the gateway went green and seemed to be okay...although I still couldn't manage to get the routing working  :-[

I have multiple vlans and am trying to get one of those vlans to access the VPN, so should I be updating the rules for that vlan to access the vpn gateway or elsewhere?

Appreciate any help from anyone  :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 20, 2020, 12:14:10 pm
Screenshots of Rules, Gateways and Local instance
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 02:26:06 pm
Screenshots of Rules, Gateways and Local instance

Local instance
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 02:28:15 pm
NAT Outbound
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 02:29:22 pm
Gateway
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 02:34:02 pm
vlan internet access rules, is currently set to all access and work, but when I disable the all access and push through the azire gw it does not work.

I am trying to only let specific vlans access this gateway :)

Thanks in advance for any pointers as to what I am missing.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 20, 2020, 03:09:41 pm
Packet Capture on the Azire Interface?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 05:12:00 pm
Packet Capture on the Azire Interface?

Not something I have done or am able to do quickly.

Edit: So I found the option in Opnsense, not seen it before.... any specific options needed apart from selecting azire interface? :)

So I captured for a couple of minutes and wireshark says 'no packet' when I open the cap file...
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 20, 2020, 07:56:30 pm
Please come to IRC tomorrow and Ping me there
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 20, 2020, 08:37:27 pm
Please come to IRC tomorrow and Ping me there

Will do, thanks for your time  :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mannp on September 22, 2020, 12:38:27 pm
Quote
There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

Hmm, I started off with that very configuration without much luck. Rules were ignored until I added that gateway IP everywhere.

Hi @sleepnow75 I have found the same, that just clicking this option and leaving the IP field 'dynamic' doesn't work.

I am expecting the dynamic field to be populated with an IP, like the WAN interface does, but it never happens for me, even though the VPN is up.

Setting the IP for the gateway and vpn config I found I have outbound traffic, but no inbound.

Do you have a pass rule in your firewall for this inbound traffic?

I have set an inbound rule for the vlan I want to go through the vpn, but it doesn't work.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Scanline on September 29, 2020, 02:19:54 pm
Hi, and another one who is lost. I tried so much yesterday that I dreamed about it last night  ;D

I have two VLANs (10 and 20). I want VLAN10 ("LAN") route via my DSL WAN Interface ("WAN"), and VLAN20 ("LAN_VPN") via Mullvad Interface ("WG_Mullvad").

I hope anyone could help. What I did was:

1.) Added mullvad wireguard stuff, disabled routes (seems to be working)

2.) Added interface, no IP, lock, Dynamic gateway policy

3.) Under "System: Gateways: Single" my mullvad gateway appeared ("WG_MULLVAD_GW"), but without IP in the list. Enabled "Far Gateway", IP "dynamic"

4.) "Firewall: NAT: Outbound" added NAT rules: interface "WG_MULLVAD", source "LAN_VPN net", NAT Address "WG_MULLVAD address"

5.) Added under "Firewall: Rules: LAN_VPN": any IPv4 Gateway WG_MULLVAD_GW

6.) This is what it looks like when I connect my windows 10 pc with untagged VLAN20. I can ping my router (192.168.20.1) and DNS works as well

restarted wg service, rebooted router multiple times, no luck. Any help is much appreciated!
Mullvad account is active and paid

Thank you so much for everyone who is helping out here.

Update 1:

For testing, I unticked "Disable Routes" in the Wireguard Local settings and disabled "Dynamic gateway policy" in the interface settings which resulted into LAN being router through mullvad. I did not change the ""Firewall: Rules: LAN", it should still go through WAN.

What this test showed me is that the wireguard connection is working, and the error must be in the gateway, nat or firewall settings.


Update 2:

When I try to go the "1.2.3.4" route described here: https://forum.opnsense.org/index.php?topic=15105.msg86559#msg86559 (https://forum.opnsense.org/index.php?topic=15105.msg86559#msg86559), I am getting "Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface." when I  try to add the Gateway under "System: Gateways: Single".
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 30, 2020, 09:39:11 am
Tick Disable routes and in Gateway tick "Far Gateway", this should work.
If yes we can go on :)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Scanline on September 30, 2020, 09:42:44 am
Tick Disable routes and in Gateway tick "Far Gateway", this should work.
If yes we can go on :)

Thank you!

Far Gateway and Disabled routes was set  up like this and it didn't work
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: FingerlessGloves on September 30, 2020, 09:49:56 am
I made a guide for this for someone on IRC while back.

May not be the best way but it does work. Just do your rules to match your required configuration.

https://imgur.com/gallery/JBf2RF6
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Scanline on September 30, 2020, 09:54:41 am
I made a guide for this for someone on IRC while back.

May not be the best way but it does work. Just do your rules to match your require configuration.

https://imgur.com/gallery/JBf2RF6

Thank you, I will try this and report back!

Edit: Success! Thank you so much for this.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 30, 2020, 01:18:54 pm
Great! Thx for sharing!
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: mimugmail on September 30, 2020, 01:20:28 pm
I put it on my link collection:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: firewall on September 30, 2020, 06:33:08 pm
For those of you on Mullvad I encourage you to test speeds with Wireguard vs. OpenVPN. Their applications--likely including those delivered via their partnership with Mozilla (assumption)--use Wireguard by default. With WG, it's virtually guaranteed that you'll be sharing connectivity with a large number of users connecting to the same endpoint.

My OpenVPN speed is roughly 3x that of WG on Mullvad, despite the overhead, when connecting to endpoints in the same city + hosting provider (e.g. M247) + CIDR.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: FingerlessGloves on October 27, 2020, 11:26:28 pm
My OpenVPN speed is roughly 3x that of WG on Mullvad, despite the overhead, when connecting to endpoints in the same city + hosting provider (e.g. M247) + CIDR.

OPNsense's WireGuard is currently using the GO implementation so its not kernel level yet, so the performance isn't what it can be.

Hopefully the FreeBSD kernel module will get finished and hit stable some day soon which then can be incorporated in to OPNsense, and we'll get much better WireGuard bandwidth and latency.

Kernel Module Source
https://git.zx2c4.com/wireguard-freebsd/
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Scanline on October 28, 2020, 08:13:42 am
FWIW, I changed to openvpn for other reasons.¹ I hope wireguard gets proper support one day.

¹ https://github.com/opnsense/core/issues/4389
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 03, 2021, 08:51:04 am
Hi!

I used the details of this thread to get my wireguard-connection up. At least the first one...

I'm trying to get a second one up and running. What I experienced so far, is, that I had to change the 0.0.0.0/0 entry as allowed IP. Having this for both endpoints, only the first one will get an IP by the vpn-provider.

With changing this to something like
wg0: 10.10.0.0/24
wg1: 10.10.1.0/24
I do have wg-connections up, I do get my two IPs for every wg-connection but the defined gateways are marked as being 'offline'.

Why is it, that changing the allowed IPs per endpoint:
wg0: 0.0.0.0/0, 1.2.3.4 -> 10.10.0.0/24, 1.2.3.4
wg1: 0.0.0.0/0, 1.2.4.5 -> 10.10.1.0/24, 1.2.4.5
do result in offline gateways?

The wg0-gateway is still 1.2.3.4!?
The wg1-gateway is still 1.2.4.5!?

Every hint is deeply appreciated.

Kind regards,

Thomas
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Greelan on January 03, 2021, 10:14:21 am
Try CIDR notation, eg 1.2.3.4/32?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Greelan on January 03, 2021, 10:29:02 am
That said, it does seem a little odd that you can’t have multiple simultaneous connections with your vpn provider. And those Allowed IPs seem pretty restrictive. What are overall trying to achieve? Maybe the issue is more with your firewall and outbound NAT rules
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 03, 2021, 04:59:39 pm
Try CIDR notation, eg 1.2.3.4/32?

Hi Greelan!

Added the /32 and restarted the firewall... but no success, Gateways are still marked offline.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 03, 2021, 08:51:58 pm
That said, it does seem a little odd that you can’t have multiple simultaneous connections with your vpn provider. And those Allowed IPs seem pretty restrictive. What are overall trying to achieve? Maybe the issue is more with your firewall and outbound NAT rules

That what I want to achieve is that there is only one vlan connecting to the internet by one of this vpn connections. Stuff, that should have an US-IP should use the wg-connection with a us-server and so on. According to firewall-rules for every vlan-interface (10.10.0.1/24 and 10.10.1.1/24) there are two rules
#1 within your vlan everything is allowed
#2 everything that has a destination that is not the firewall has to use the specified gateway

It's for streaming stuff. Netflix should use the US-server and NFL-Gamepass shouldn't.
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Greelan on January 03, 2021, 08:55:26 pm
OK, then you should leave Allowed IPs as 0.0.0.0/0, and simply set up the firewall rules and outbound NAT for each VLAN to use the relevant gateway. There was a topic recently where someone did essentially the same thing - I will dig it out
Title: Wireguard & Mullvad - I'm lost.....
Post by: Greelan on January 03, 2021, 08:59:58 pm
This is it: Multiple Wireguard VPN Clients
 https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=20494&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D20494&share_type=t&link_source=app

Again, the key is configuring the firewall rules and outbound NAT so that they are specific to the particular VLAN you want to use the relevant interface and gateway. It’s really an expansion of the idea of configuring a specific IP to use the VPN (which is discussed by me in a topic linked in the above topic) - instead of a single IP, you are wanting a single subnet
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Greelan on January 03, 2021, 09:41:03 pm
As an aside, I get the sense that what “Allowed IPs” means may be confusing you. Allowed IPs are not the IPs that are permitted on the local side to access the endpoint through the tunnel. Rather, they are the IPs that able to be accessed through the tunnel via the endpoint, by whatever IPs on the local side are otherwise configured to use the tunnel by routes/firewall rules. Think of it as - “what IPs do I want to reach through the tunnel?”
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 04, 2021, 05:03:40 pm
OK, then you should leave Allowed IPs as 0.0.0.0/0, and simply set up the firewall rules and outbound NAT for each VLAN to use the relevant gateway. There was a topic recently where someone did essentially the same thing - I will dig it out

By the time I set the allowed IPs to 0.0.0.0/0, only the first wg-connection gets an IP from the vpn-provider...
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 04, 2021, 05:14:28 pm
As an aside, I get the sense that what “Allowed IPs” means may be confusing you. Allowed IPs are not the IPs that are permitted on the local side to access the endpoint through the tunnel. Rather, they are the IPs that able to be accessed through the tunnel via the endpoint, by whatever IPs on the local side are otherwise configured to use the tunnel by routes/firewall rules. Think of it as - “what IPs do I want to reach through the tunnel?”

OK, I would like to allow the Gateway access through the tunnel (1.2.3.4) and what else? I don't know the IPs on the vpn-provider-side. I do just have the endpoint-IP. Do I have to create a NAT-rule?

This is it: Multiple Wireguard VPN Clients
 https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=20494&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D20494&share_type=t&link_source=app

Again, the key is configuring the firewall rules and outbound NAT so that they are specific to the particular VLAN you want to use the relevant interface and gateway. It’s really an expansion of the idea of configuring a specific IP to use the VPN (which is discussed by me in a topic linked in the above topic) - instead of a single IP, you are wanting a single subnet

I followed the thread and https://imgur.com/gallery/JBf2RF6 (https://imgur.com/gallery/JBf2RF6)... nothing changed.
- both tunnels do exist / handshake is made
- both tunnels get their IP by the vpn-provider
- wireguard-go is 'green'
- dpinger Gateway wg0 is 'green'
- dpinger Gateway wg1 is 'green'
but I still do have 100% Loss shown for the gateways...!? Is it, that there is an IP for the dpinger that I have to allow? There is no NAT-rule shown!?
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: DerTom on January 04, 2021, 09:07:04 pm
I don't know what happened... I tried 0.0.0.0/0 as an allowed IP again and it seems to work... At least the Gateways are 'Online'.

Magic - and I don't like magic, I don't understand... 8)
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: SFC on February 27, 2021, 06:40:34 pm
Just as a head up, you absolutely don't need to use 1.2.3.4 and I would strongly suggest you don't, given that's a "real" IP address.  You may run into issues in the future - plenty of people found out the hard way when cloudflare started using 1.1.1.1 as a public DNS server.  I'd suggest picking something from the official private network address space that doesn't conflict with your existing LAN.

So if you're using 192.168.x.x at home, use 172.16.0.1/32

https://en.wikipedia.org/wiki/Private_network

You do *NOT* need to put this in the allowed IP addresses if you put in 0.0.0.0/0. 

0.0.0.0/0 means every IPv4 address possible.  Putting in a second IPv4 address is redundant.



Also one other note, if you're on a PPPoE WAN connection, you need to crank your MSS down to 1300. 

Firewall > Settings > Normalization

Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Nekromantik on March 02, 2021, 09:53:42 pm
having issues with this too
I got it setup using the 1.2.3.4 method for the GW.
The GW is green with health check against 1.1.1.1.
I can see packets from LAN going to WG Interface but no return traffic.
My client looses all internet access.
My FW rule is as below:

Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: Nekromantik on March 02, 2021, 11:19:43 pm
solved it
had to remove the 1.2.3.4 from allowed networks and then put my client IP in NAT rule
Title: Re: Wireguard & Mullvad - I'm lost.....
Post by: The_Dave on December 15, 2021, 06:45:45 pm
I also have the problem that my wireguard gateways shown down and there are packages sent by the interface but not received. I configured everything as explained in this guide:
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/

I really hope someone can give me a hint how to get this working. My wan receives an ip from the isps router via dmz if that's relevant