OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: M_TheRedHead on April 04, 2023, 12:20:51 am

Title: Policy based routing w/Mullvad Wireguard - Help needed
Post by: M_TheRedHead on April 04, 2023, 12:20:51 am

Question originally posted on https://www.reddit.com/r/opnsense/comments/128z2l5policy_based_routing_wmullvad_wireguard_help/ (https://www.reddit.com/r/opnsense/comments/128z2l5policy_based_routing_wmullvad_wireguard_help/)
I received some good responses, but wasn’t able to get the issue resolved.   I thought I would try here as well.  I also completely deleted the configuration after my first post and started over so the images/IP addresses, etc have changed.

Hello All,

My goal is to route all traffic from a vlan to Mullvad.

I am trying to implement policy based routing for a wireguard tunnel as described in https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)   I have the configuration complete and it isn't working as expected.   I have been re-reading and everything looks right to me, but I am sure I am missing some simple change.

Images of all steps from the configuration guide are documented here https://imgur.com/a/5WnZpMB (https://imgur.com/a/5WnZpMB) 

Environment:
    • Opnsense 23.1.5
    • Intel N5105 embedded PC from Aliexpress w/ i226 nics
    • vlan4 is 192.168.105.0/24 which is the subnet I would like to route for only VPN traffic on eth1. 

I followed the instructions here: https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.htm to get the keys, my IP (10.66.158.124, etc. On the dashboard, I see handshakes happening, monitoring across the link is working, so I am assuming the tunnel is ok.

Issue:  From the VLAN, I am unable to ping or connect to anything on the internet via the VPN subnet.  Access to local networks works fine if I open rules for them.  This is my first attempt at policy based routing and something seems to be missing.

Any thoughts or suggestions on how to debug?   

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: nzkiwi68 on April 04, 2023, 09:38:07 pm

Some ideas....

ONE
Try using automatic routing.

Turn off disable routes and turn off the gateway in WG you have set, both in WG "Local Configuration" advanced settings - here you have disabled automatic routes and you have manually specified a gateway.

TWO
If you can't do that because it causes other issues, then turn back on disable routes but still don't put in WG "Local Configuration" advanced setting a gateway, but, as per your screenshots, make your own gateway and then routes.

THREE
I see in your screenshots lots of good configs, but, after making gateways etc with WG "Local Configuration" - "Disable Routes" selected - YOU have to make a route in
System > Routes > Configuration
Remote network y.y.y.y/y is reached via gateway x.x.x.x (that you manually made)

FOUR
Make sure you add the wireguard interface in interfaces, you don't need to set any settings at all in the interface other than it being there, but I found I needed the interface.

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: allebone on April 04, 2023, 10:23:59 pm

Main thing is create a new local config for wireguard - MUST have routes disabled.
Then an endpoint must be created, and must successfully connect. 0.0.0.0/0 must be pushed across that.
Then a new WG interface must be created (virtual interface must exist) and create a single gateway with higher priority (so default traffic wont use it).


With this you now need very little to complete -
Aliases - the pc's or whatever you want to use the tunnel,
At least 1 firewall rule - that must match traffic before any other rules and have the new WG gateway set.
(eg: source could be your pc's in the alias you want to use the tunnel and destination any).

You dont need outbound nat or any floating rules or static routes if you configure it in this simple way.

Pete

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: M_TheRedHead on April 05, 2023, 03:08:29 pm

Sorry, I didn't have time to respond to the responses yesterday - work was rather busy.

Well, the oddest thing happened and this bothers me more than the main issue.   The day I posted, routing was not working and I just went to bed after being frustrated with getting this working for the weekend.

Today, I decided to capture some packets from the client as well as the router and see if I could figure out which step was failing.   Oddly, it is routing perfectly today.   

I ended up cloning my VPN configs with another endpoint and that one works as well.    I added both to a gateway group and traffic flows out both.

I can't for the life of my figure out how things started working with no additional changes.

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: M_TheRedHead on April 05, 2023, 05:04:38 pm

I am also very curious how other people create their WG gateways.   

I was watching a PFsense load balancer video, and they created a gateway with the same IP address as the local endpoint of the wireguard connection.    If I try to set the gateway as the local IP address in the endpoint page, I get an error.

Any examples?

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: zan on April 06, 2023, 04:13:36 am

Is your VPN end tunnel known? If not try dynamic gateway policy.

Title: Re: Policy based routing w/Mullvad Wireguard - Help needed
Post by: M_TheRedHead on April 07, 2023, 07:59:37 pm

Hello All, After much help from many in this thread and on Reddit, I was able to get this working and in a much simplified way compared to the opnsense guide. Here are the changes:

•     Step 2: Do not specify the gateway
•     Step 4: Check the 'Dynamic gateway policy' box
•     Step 6: Skip all together
•     Step 9: Skip all together

Here are the updated images: https://imgur.com/a/gxsjjge