Use Wireguard VPN to Mullvad only for one client

[murmelbahn]

Hey all,

I have a little question. I've configured my OPNSense to use Mullvad VPN service. I was using the following guide:
https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

Now all my clients are using the VPN connection to Mullvad but I want only one client to use this connection. When the VPN is down the client shouldnt be allowed to use the internet at all. The last sentence in the manual says the following:

When assigning interfaces we can also add gateways to them. This would offer you the chance to balance traffic via different VPN providers or do more complex routing scenarios.

I think something like this is needed for me? Like IP 1.2.3.4 only use Gateway Mullvad VPN without failover and all the others using the default WAN gateway?

Maybe someone can give me a hint to handle this situation?

[actionhenkt]

You could use the tag options on your firewall rules to route traffic

1. create wireguard interface (dont assign an IP)
2. create a gateway for wireguard
3. create an ip alias with the client ip's you want to have wireguard for
4. create a nat rule outbound on the wireguard interface and tag the rule with a "match local tag" option, you can also put a source with the alias you created in this rule
5. create a rule on the lan interface and tag the rule with "set local tag" option and add the alias as source, set the gateway to the one you created, put this rule at the top.
6. create a reject (direction out) rule on the floating tab and match this rule with the tag you set in on the lan rule using the "match local tag" option, put this rule below your block any in rule on the floating tab

this should get your wireguard running the way you want

[murmelbahn]

Hi,
thanks for you answer. Sadly I can't get it working. These are the steps I did:

1. Interfaces -> Assignments -> New Interface -> wg1 -> Add (wg0 is my dial in Wireguard VPN)
2. Edited the new interface: Renamed it to WireGuardMullvadIF, enabled it. Nothing more.
3. System -> Gateways -> Single -> Add
4. Set "Mullvad" as name, choose "WireGuardMullvadIF" as interface. Enabled it.
5. Firewall -> Aliases -> New -> Add. Name: Mullvad, Type=Host(s) Content: 192.168.178.239.
6. Firewall -> Nat -> Outbund -> Add (Mode=Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules))
7. Interface: WireGuardMullvadIF, Source Address: "Mullvad", Match Local Tag: VPN. Nothing moore.
8. Firewall -> Rules -> LAN -> Add Action: Pass, Interface: LAN, Direction: In, Source: VPN, Gateway: Mullvad, Set local Tag: VPN. Nothing moore. After this I put the rule on top but there are still generated rules above it.
9. Firewall -> Rules -> Floating -> Add.
10. Action:Reject, Direction out, Match local tag: VPN
11. Here are only generated rules, the once I created is the last one.


After all this all my clients are still using the VPN connection. The good thing is the client which should have no access to the internet when the VPN is offline is offline but even when the VPN is enabled. Can you give me a hint what to change?