Can't route traffic via Mullvad's WireGuard servers

Started by Legally a Shrimp, May 17, 2024, 01:57:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 17, 2024, 01:57:37 PM Last Edit: May 19, 2024, 10:00:29 PM by Legally a Shrimp
Hi,

a few weeks ago I found myself forced to move into a shared apartment. Somewhat understandably my new roommate won't allow me to replace his router, an AVM Fritz!Box 7490, with my own (previously pfSense based) router. Because I've gotten so accustomed to all its features (mainly PBR over various VPN GWs and IPBL/DNSBL), I connected my router to his. He allowed me to set my router to be an "exposed host" for both its addresses (IPv4 and IPv6) and delegated prefixes. As far as I understand, this means the Fritz!Box firewall is practically disabled for my router. Also the Fritz!Box now delegates a /63 IPv6 subnet to my router, which I split into two /64 for the LAN and WiFi interfaces.

Curiously, with the move the VPN connections to Mullvad stopped working: No matter what I did, I could no longer use them as gateways for browsing the web, ie. attempts to open websites would simply time out. Because I wanted to give opnSense a try for a long time, I took this as an opportunity to finally make the switch from pfSense.

I already was at the point where all my devices have gotten IPv4 and IPv6 addresses assigned (via DHCP/managed RA), could talk to each other (confirmed via ping and ssh) and connect to the internet, except to blacklisted hosts. From the outside I could connect to the (non-Mullvad) WireGuard VPN I've set up on opnSense to get to my home server (confirmed via 5G connection). From the inside I could connect to the (non-Mullvad) WireGuard VPN I've set up on my mail server (some cheapo OVH Kimsufi box in France) for nightly backups.

Unfortunately the issue I had with pfSense persists with opnSense no matter what I do: I still can't get traffic from within my LAN to be routed via Mullvad servers to the outside world. All attempts to connect to web servers still just time out.
At all times I've followed this guide with no significant deviations. Once I realized I still have the same problem, I removed all firewall and NAT rules except those from the guide. Still, the issue persists. So I removed all firewall and NAT rules that I've set up, also the WG interfaces, gateways, instances and peers, and started all over again, again and again. Making sure I don't miss anything, such as ticking the "allow-options" checkbox of step 9. Nothing. I even generated new keys, thus also new interfaces on Mullvad's end, via their API, with the "hijack_dns" option set to false (this used to work just fine before the move). Still nothing. So I reinstalled opnSense, updated it, only set up WAN and LAN interfaces (both DHCP) and DNS, followed the guide again.

Thanks



In short:
- connections to servers time out when enabling rules with Mullvad VPNs set as gateway
- issue is reproducible on every device in LAN
+ ping works (and changes when routing via MV GW)
+ traceroute works (and changes when routing via MV GW)
+ dig/nslookup works
+ no suspicious logs (besides ones similar to these, see screenshots)
+ Mullvad client works (but is impractical, because can't be used on some devices)
+ connecting to tunneled devices on non-MV WG VPNs works fine
* this is the guide I followed (docs.opnsense.org)
* these are screenshots of the settings (imgur.com)
* this is a video illustrating the issue (youtube.com)
May 18, 2024, 01:29:36 PM #1
I am unable to view the screen shots on Imgur
wireguard works just fine with Mullvad and other providers on opnsense... if configured properly. the issue you are seeing could be DNS or MTU settings

have you tried installing Mullvad client on a certain PC to see if it simply passes Any Mullvad traffic?
May 19, 2024, 09:53:27 AM #2 Last Edit: May 19, 2024, 10:02:14 PM by Legally a Shrimp
Quote from: DEC670airp414user on May 18, 2024, 01:29:36 PM
I am unable to view the screen shots on Imgur
That's odd. I can see them on my desktop and on my mobile phone.

Quote from: DEC670airp414user on May 18, 2024, 01:29:36 PMwireguard works just fine with Mullvad and other providers on opnsense... if configured properly. the issue you are seeing could be DNS or MTU settings
DNS lookups work fine. So does the transmission of ICMP packets with the DF bit set. Both with the rule seen in the video enabled and disabled.

Quote from: DEC670airp414user on May 18, 2024, 01:29:36 PMhave you tried installing Mullvad client on a certain PC to see if it simply passes Any Mullvad traffic?
No issue with the Mullvad client, but since it can't be used on all the devices, this is far from an optimal solution to my problem.  :-\

Thanks for the reply anyway!
May 23, 2024, 12:05:20 PM #3
Yesterday evening I reinstalled and reconfigured opnSense for what feels like the twentieth time. I swore it would be the last time and despite me being almost certain I didn't do anything different compared to before, opnSense must have finally noticed my immense frustration and felt pity for me, because it just works™ now.

Well, kinda: Whenever the upstream router goes down or gets "zwangsgetrennt", WAN gets a new IPv6, but neither do LAN nor WIFI interfaces. Guess this is a known issue? :-\
Print
Go Up Pages1
User actions