Messages

So turns out it might have been a bug in opnsense 25.1.5, since upgrading to 25.1.6 the issue seems to have stopped, at least the tunnels are not dropping anymore.

Any advise on how I could debug the issue and figure out what is going on? Wireguard logs don't seem to say much
Would love to get at least the non-vpn networks to work correctly

[Instance 1]

Hi All,

Having some trouble with my wireguard configuration and can't figure out why is is not working. I have followed the WireGuard ProtonVPN Road Warrior Setup and looked at many other guides but can't get it to work correctly

The setup:
I have a few vlans, some that should go through the VPN, some that should not. They are organized in 2 firewall groups, IG_OUT_VPN, and IG_OUT_WAN. Up to here everything works correctly.

I then have 2 peer/instances in wireguard with ProtonVPN for IG_OUT_VPN. The expectation is that if one tunnel is down or slow, the 2nd should start working. IG_OUT_WAN is not affected and should continue to work no matter if tunnels are up or not and traffic does not go through the tunnels.

You cannot view this attachment.

Reality is everything stops working the second 1 tunnel goes down, even IG_OUT_WAN, and for the live of me, I cannot figure out why.

Lately it seems no matter the VPN conf I choose, one of the tunnels goes down. I have tried various Proton servers, but everyday now, no matter what I choose, one goes down. Once one is down, the internet connection stops for both IG_OUT_VPN and IG_OUT_WAN.

Below is my conf. I'm not sure where I went wrong. I have tried various changes but nothing seems to resolve the issue

Instance 1

Name: CH582
Public key: <generated from private key>
Private key: <private key>
Listen port: 51820
MTU: 1412
Tunnel address: 10.2.0.2:28
Peers: CH582
Disable routes: checked
Gateway: 10.2.0.1

Instance 2

Name: CH321
Public key: <generated from private key>
Private key: <private key>
Listen port: 51821
MTU: 1412
Tunnel address: 10.3.0.2:28
Peers: CH321
Disable routes: checked
Gateway: 10.3.0.1

Peer 1

Name: CH582
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH582
Keepalive interval: 25

Peer 2

Name: CH321
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH321
Keepalive interval: 25

Gateway 1

Name: VPN0
Interface: VPN0
Address family: IPv4
IP Address: 10.2.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255

Gateway 2

Name: VPN1
Interface: VPN1
Address family: IPv4
IP Address: 10.3.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255

Gateway group

WAN_DHCP: never
VPN0: Tier 1
VPN1: Tier 2

Trigger Level: Packet Loss and High Latency


Firewall Groups

IG_OUT_VPN: 2 vlans that should use vpn
IG_OUT_WAN: 2 vlans that should not go through vpn

Firewall rules IG_OUT_VPN

Protocol: IPv4 *
Source: IG_OUT_VPN net
Destination: !RFC1918
Gateway: VPN_GROUP

Firewall rules IG_OUT_WAN

Protocol: IPv4 *
Source: IG_OUT_WAN net
Destination: !RFC1918
Gateway: WAN_DHCP

Ah sorry, misunderstood. They are both set to 255.
I also tried putting the quad9 ips in the monitor ips (9.9.9.9 and 149.112.112.112) but the gateways were still offline until I pressed apply again

Hi,

You mean in the gateway group? I have it set to never for wan, see attachment.

Regarding the gateway IP, I'm a bit confused, how do I determine the one for ProtonVPN? It says to use traceroute but I'm not clear on what to look for

Thanks!

1) With PPoE, do you mean if I have devices connected to the vlans in this group that use ppoe, I should change the MTU, or if my opensense device is ppoe? For example my pi-hole is powered by ppoe

2) Yes I am using 51820 and 51821

3) For the moment I have enabled Query Forwarding to the System Nameservers (quad9) in unbound and it seems I no longer have leaks, but I don't think this is good. May change it to simply use the protonvpn dns without unbound like you if I cant get it to work

4) As a floating rule, it seemed to affect the vlans that are not on vpn too, blocking them. Not sure it is correct but since the killswitch is just for the vlans in that group, i put it there

I have also added the top 2 rules since putting together the steps (see attachment). Given not vlans in the group can reach other vlans, needed to give access to pi-hole and unbound

[Issues]

Hi all,
I am trying to setup 2 wireguard ProtonVPN tunnels, with unbound as the dns resolver. I have several vlans in interface groups. One group for outbound traffic with VPN and one without (wan group does not use unbound). The VPNs are in a gateway group, one main tunnel, the other backup

I put together by copying and pasting from the various guides I followed, the steps I took but it is incomplete, DNS firewall rule missing.

Issues

   
• Gateways: Whenever I restart opnsense, the gateways are offline. I have press edit on the second one, save without making any changes, and apply, then they show as online. No changes are made. Before this I get the errors in the attachments.
• DNS: I have no idea what rule I need to avoid DNS leaks. I've tried several rules from various guides but none seemed to work

For the wireguard instances, seems to work but unclear

   
• MTU: I'm using 1420 but I've also seen 1412 and other options. How do i know what i need?
• Tunnel Address: I'm using /32 but have also seen /30 and /28. I'm not clear how this works and what I should use

Note: I am also using a pi-hole. I have the DNS of the pi-hole set for the vlan DNS, and pi-hole has the opnsense unbound as DNS.

Thanks for any help!!

__________________________

Step 1 - Download ProtonVPN configurations

Config 1 example

Code Select Expand

[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 11.11.11.11:51820

Config 2 example

Code Select Expand

[Interface]
.......
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
.....
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 22.22.22.22:51820

Step 2 - Generate public keys from private keys

ProtonVPN, unlike Mullvad or other WG implementations, only provides a private key. The private key appears briefly when generating the configuration in the web UI. The public key will be derived from the private key with the "wg pubkey" command.
Run the command for both configs using the PrivateKey in the Interface section

Code Select Expand

none wg pubkey < PrivateKey


Step 3 - Setup WireGuard Instances

   
• Go to VPN ‣ WireGuard ‣ Instances
• Click + to add a new Instance configuration
• Turn on "advanced mode"
• Configure the Instances from the downloaded ProtonVPN configurations as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	Call it whatever you want, like the exit country (eg CH60)
  Public Key	Insert the derived PublicKey from the previous step
  Private Key	Insert the PrivateKey field from the [Interface] section
  Listen Port	A unique port, 51820 or above 51820 for first instance 51821 for the second
  MTU	Needs to be 80 bytes shorter than normal MTU. Default 1420 (1500 - 80 = 1420?) 1420 Some suggest 1412?
  DNS Server	Leave blank
  Tunnel Address	Insert the Address field from the [Interface] section in CIDR format, 10.2.0.2/32 for the first instance 10.3.0.2/32 for the second instance Some suggest /30 or /28?
  Peers	Leave blank for now
  Disable Routes	Checked
  Gateway	Tunnel address -1 10.2.0.1 for the first instance 10.3.0.1 for the second instance

• Save the Instance configuration, and then click Apply

Step 4 - Setup Wireguard Peers

   
• Go to VPN ‣ WireGuard ‣ Peers
• Click + to add a new Peer
• Configure the Peer from the downloaded ProtonVPN configuration as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	Call it whatever you want, like the exit country (eg CA60)
  Public Key	Insert the PublicKey field from the [Peer] section
  Allowed IPs	0.0.0.0/0
  Endpoint address	Insert the IP address from the Endpoint field in the [Peer] section
  Endpoint port	Insert the port number from the Endpoint field in the [Peer] section 51820 for both
  Instances	Select the instance configured in the previous step
  Keepalive interval	25

• Save the Peer configuration, and then click Apply

Step 5 - Turn on WireGuard

Turn on WireGuard under VPN ‣ WireGuard ‣ Instances ‣ Enable WireGuard ‣ Checked

Step 6 - Assign interfaces to WireGuard and enable them

   
• Go to Interfaces ‣ Assignments
• In the Device dropdown in the "Assign a new interface", select the WireGuard device (e.g. wg1 and wg2)
• Add a description (e.g. VPN0 for first and VPN1 for second)
• Press Add to add it, then click Save
• Then select your new interfaces under the Interfaces menu
• Configure it as follows (if an option is not mentioned below, leave it as the default):

  Enable	Checked
  Lock	Checked
  Description	Same as under Assignments, if this box is not already populated
  IPv4 Configuration Type	None
  IPv6 Configuration Type	None

• Save the interface configuration and then click Apply changes
• Restart WireGuard

Step 7 - Create gateways

   
• Go to System ‣ Gateways ‣ Configuration
• Click Add
• Configure the gateway as follows (if an option is not mentioned below, leave it as the default):

  Name	Name them same as the interfaces VPN0 VPN1
  Description	Add one if you wish to
  Interface	Select the newly created interfaces in the dropdown
  Address Family	Select IPv4 in the dropdown
  IP address	Insert the gateway IP that you configured under the WireGuard Instance configuration 10.2.0.1 for the first instance 10.3.0.1 for the second instance
  Far Gateway	Checked
  Disable Gateway Monitoring	Unchecked
  Disable Host Route	Checked
  Monitor IP	Insert the Endpoint IP from the config file

• Save the gateway configuration and then click Apply changes

Step 8 - Gateway Group

   
• Navigate to System ‣ Gateways ‣ Group and click Add

  Group Name	VPN_GROUP
  VPN0	Tier 1
  VPN1	Tier 2 (failover)
  Trigger Level	Packet Loss or High Latency

It's also possible to configure load balancing by putting multiple interfaces into the same tier.

Step 9 - Create Interface Groups
requires vlans being already set upWe use interface groups to apply policies to multiple interfaces at once and reduce the number of required firewall rules significantly.

   
• Navigate to Firewall ‣ Groups and add the following interface groups.#IG_OUT_WAN

  Name	IG_OUT_WAN
  Description	Interfaces allowing outbound WAN traffic
  Members	Select vlans that will not go through the VPN

  #IG_OUT_VPN

  Name	IG_OUT_VPN
  Description	Interfaces allowing outbound VPN traffic
  Members	Select vlans that will go through the VPN

Step 10 - Firewall Rules

1. RFC1918 Alias

   
• First go to Firewall ‣ Aliases
• Click + to add a new Alias
• Configure the Alias as follows (if an option is not mentioned below, leave it as the default):

  Enabled	Checked
  Name	RFC1918
  Type	Select Network(s) in the dropdown
  Content	Option 1: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 Option 2: select all opt networks and lan network
  Description	All local networks

• Save the Alias, and then click Apply

2. Traffic trough WireGuard rule

   
• Then go to Firewall ‣ Rules ‣ IG_OUT_VPN
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Action	Pass
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	in
  TCP/IP Version	IPv4
  Protocol	any
  Source / Invert	Unchecked
  Source	IG_OUT_VPN net
  Destination / Invert	Checked
  Destination	Select the RFC1918 Alias you created above in the dropdown
  Destination port range	any
  Description	wireguard
  Gateway	Select the gateway group you created above VPN_GROUP
  Set local tag	NO_WAN_EGRESS The NO_WAN_EGRESS local tag will be used for the killswitch to prevent traffic leaking out if a tunnel is down

• Save the rule, and then click Apply Changes
• Then make sure that the new rule is above any other rule on the interface that would otherwise interfere with its operation. For example, you want your new rule to be above the "Default allow LAN to any rule"

3. *.local addresses rule
requires mDNS Repeater. Install and activate plugin on interfaces using VPN

   
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Action	Pass
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	in
  TCP/IP Version	IPv4
  Protocol	UDP
  Source / Invert	Unchecked
  Source	IG_OUT_VPN net
  Destination / Invert	Unchecked
  Destination	224.0.0.251/24
  Destination port range	for both from and to select (other) 5353
  Description	Allow multicast mDNS traffic

• Save the rule, and then click Apply Changes

4. DNS rule
???

5. Killswitch rule

   
• Go to Firewall ‣ Rules ‣ IG_OUT_VPN
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default). You need to click the Show/Hide button next to "Advanced Options" to reveal the last setting:

  Action	Block
  Quick	Checked
  Interface	IG_OUT_VPN
  Direction	out
  TCP/IP Version	IPv4
  Protocol	any
  Source / Invert	Unchecked
  Source	any
  Destination / Invert	Unchecked
  Destination	any
  Destination port range	any
  Description	Killswitch
  Match local tag	NO_WAN_EGRESS

• Save the rule, and then click Apply Changes

Step 11 - Create outbound NAT rules

   
• Go to Firewall ‣ NAT ‣ Outbound
• Select "Hybrid outbound NAT rule generation" if it is not already selected, and click Save and then Apply changes
• Click Add to add a new rule
• Configure the rule as follows (if an option is not mentioned below, leave it as the default):

  Interface	Select the interface for your WireGuard VPN VPN0 VPN1
  TCP/IP Version	IPv4
  Protocol	any
  Source invert	Unchecked
  Source address	IG_OUT_VPN net
  Source port	any
  Destination invert	Unchecked
  Destination address	any
  Destination port	any
  Translation / target	Interface address

• Save the rule, and then click Apply changes

   
• https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
• https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
• https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
• https://forum.opnsense.org/index.php?topic=39061.0
• https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8

For those interested, I finally resolved the issue I was having. I had to create a firewall rule to allow multicast mDNS traffic

Firewall > Rules > Your VLAN Interface:
- Action: Pass
- Protocol: UDP
- Source: the VLAN network
- Destination: 224.0.0.251/24
- Destination port range: Custom port, 5353 for both the start and end of the port range.

This seem to have resolved my issue

I never got it to work correctly so not sure what could be the change that broke it.
My vlan setup is slightly different from Schnerring's guidelines but similarly I'm trying to use unbound for the wireguard vlan (vlan10), while for the non-wireguard vlan (vlan20) I'm using Dnsmasq / Quad9
They both "work", can access the internet. The issue is on vlan10 cannot access any local devices unless using the IP. I have several devices with with .local addresses and when using that vlan it doesn't work

I am struggling completing my firewall setup and am looking for support. Will pay.
I have created several vlans and need to complete the firewall rules. In addition I've setup wireguard (protonvpn) but am having problems with the DNS, local devices cannot be reached on the vlan using the vpn unless using the IPs (e.g. .local addresses not resolving). On vlans not using wireguard they work.
I've tried everything and now just looking for someone who can go through the setup with me and get it to work and help with additional firewall rules.

My setup is mostly based on these:
- https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/
- https://schnerring.net/blog/router-on-a-stick-vlan-configuration-with-swos-on-the-mikrotik-crs328-24p-4s+rm-switch/
- https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8