Messages

I've configured Mullvad via Wireguard and am using a PPPoE WAN connection.

I have it working, but find that when a client is connecting to various internet webpages, it takes more time to load, and some of the content or functionality does not work.

E.g. Speedtest.net doesn't find the optimal server, and is extremely slow to start the test.

I've installed wireshark on my client computer and can see a fair amount of TCP retransmission messages in the traffic.

I get the sense that this is related to MTU/MSS, but I've changed it to different settings and can't seem to get it working properly.

My WireGuard instance MTU is 1412, the WAN PPPoE MTU is default (1500) but I think opnsense reduces it automatically to 1492, I have Normalization rule set to Max Mss 1352.

Would appreciate some help to determine what's causing this?

I've got a squid forwarding proxy running on my LAN interface (gateway IP) on default port 3128.

What firewall/NAT rule settings must be configured to route squids outbound traffic via a different WAN interface?

For example:

1. Can I create a firewall rule that filters traffic sent to the squid destination service port 3128, and then NAT that to a different WAN interface default gateway?

Or

2. Run squid proxy on a LAN sub-interface (Unique IP), and then create a firewall rule that specifies that any traffic originating from the sub-interface address routes via different WAN inteface gateway?

Cheers!

There are different methods for DNS blocking - here's one (TL;DR) discussion about them: https://support.adamnet.works/t/comparing-dns-blocking-methods/1245

Presumably your DoT DNS provider chose the NXDOMAIN method. You'd have to ask them why...

Excellent post on the different methods! Thanks for sharing that.

I ran into something like this before.  If it's only certain domains not resolving then my first guess is you either have some strict DNS setting enabled like "QNAME Minimisation" that breaks some sites, or the particular DoT provider you are forwarding to is doing some filtering.

Thank you OPNenthu. It turned out to be the DoT DNS provider I was using. It was filtering ads, malware and viruses. After changing the DNS server to the option that does not filter anything, DNS is now resolving. Appreciate your help to narrow it down, and hope this post helps someone else in future.

If anyone else knows why this causes NXDOMAIN responses, it would be useful to understand it further?

After further fiddling, when I disable DNS over TLS and tick "Use system nameservers", then in System > Settings > General add 1.1.1.1 to the DNS servers list, DNS resolution is working.

Does anyone know why DNS over TLS resolution does not work for all domains?

After further fiddling, when I disable DNS over TLS and tick "Use system nameservers", then in System > Settings > General add 1.1.1.1 to the DNS servers list, DNS resolution is working.

Does anyone know why DNS over TLS resolution does not work for all domains?

I'm using wireguard to connect from an iphone to opnsense.

The tunnel is working and my DNS is resolving most domains. DNS is using ubnbound, and the wireguard client is set to wireguard tunnel ip.

I'm finding that some domain return "NXDOMAIN" and do not resolve to an ip when using nslookup/dig.

Example: x.com doesn't resolver and either do some iphone apple.com services.

What could be causing this?

I've noticed when checking Reporting > Unbound DNS > Details tab, that all the services/apps on the iphone that are not resolving DNS have a "Return Code" as "NXDOMAIN" and are highlighted yellow in this log.

It's definately twitter/x and some apple services that I can see so far.

Hi,

I've setup WireGuard based on the road warrior configuration tutorial. I'm able to browse the internet when connected from an iPhone, and can see my public IP address is that of the Opnsense router WAN ip.

However, I've noticed that some iPhone apps don't work properly. As an example twitter is not loading new content.

I can nslookup x.com when wireguard is off, but when it's on, nslookup doesn't resolve x.com.

Has anyone else had this issue and know how to resolve?

The Wireguard instance does not need the Listen Port to use 51820.

If you leave it blank it will use a random source port number.

Also, the Wireguard instance does not need a public key, only the private key.

If I disable Wireguard, then enabled it, the handshake does not work.

After rebooting it does work...

that MTU seems awful high.  i used 1340  for my fiber connection.

reboot?  i didn't reboot to be honest

It's what they're recommending in the link for the MTU.

"MTU 1420 (default) or 1412 if you use PPPoE; it's 80 bytes less than your WAN MTU"

Oh, but the Max Ms Normalization, you're right is 1372 for PPoE.

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

make sure to enable Wireguard MSS Clamping IPv4  per instance

After setting the MTU and Max Ms setting, why is a reboot required?

I've noticed with a few things, saving is not good enough, after rebooting it starts working. This makes troubleshooting so much harder, as you never know if you're a reboot away from getting it working, and therefore you end up endlessly rebooting to check if it works.

You're an absolute legend! Thank you.

For anyone else, as I was using PPoE for authentication to my ISP on the WAN. I needed to set the normalization rule Max ms as 1412, and in the Wireguard Instance, click advanced and set the MTU as 1372.

For whatever reason it still wouldn't handshake until I assigned and enabled the wg0 interface, and then rebooted the firewall.

What a pain in the ass this has been! ffs

Hello,

Running a clean install of Opnsense v25.1. Followed this youtube tutorial (https://www.youtube.com/watch?v=fFszlJpTBoc) to the letter, but after enabling Wireguard I'm not seeing any "Received" bytes, only send bytes (VPN > Status).

At 6min 25 sec in the youtube video, he says that after enabling wireguard, you should see the Handshake and Received bytes. However, I don't see a Handshake timestamp, and received is 0 bytes.

How can I troubelshoot the handshake?

I'm running a Lenovo P330 with a Intel Quad PCIe ethernet card. My LAN is using the on-board NIC, and the WAN is using the quad card. Internet connection is working find out-of-the box.

I've double checked all the public/private keys for the peer and instance, and other details for the config file that Mullvad generated, but it's just not establishing the wireguard tunnel completely.

How can I troubleshoot this? I've spend about 24 hours trying to get it working.