[WireGuard] Mullvad Selective Routing guide for dummies

[colourcode]

Additional information and inspiration:
schnerring.net
OPNsense Docs

About

This is basically the existing guide(s) without much explanation, straight to the point, for us who get cross eyed by walls of text. Don't expect to learn why it's working here.

This is the minimum needed to get it up and running on an unconfigured OPNsense host.
Tested with 24.1.1

Hopefully, it can be of help to someone and lets hope I never have to do BBcode formatting ever again 🤦


1. Install WireGuard

Code: [Select]

Navigate to: System > Firmware > Plugin- Install WireGuard


2. Download Mullvad config - I'll call it .conf

1. Login mullvad.net & go to wireguard-config
2. Generate Key
3. Scroll down and select server
4. Select IPv4
5. Select Only IPv4
6. Configure Content Blocking
   - Personal preference, it changes the DNS server provided in .conf
7. Download .conf

Additional Mullvad info

These can be used as monitoring IP for gateway(s):
- Mullvad - How to set up ad-blocking in our app
   - 100.64.0.1 for Ad-blocking
   - 100.64.0.2 for Tracker-blocking
   - 100.64.0.3 for Ad- + Tracker-blocking.

- Mullvad - Adding another layer: malware DNS blocking
   - 100.64.0.4 Malware blocking only
   - 100.64.0.5 Ad and malware blocking, no tracker blocking
   - 100.64.0.6 Tracker and malware blocking, no ad blocking
   - 100.64.0.7 Ad, tracker and malware blocking (“everything”)


3. WireGuard Configuration

3.1 WireGuard INSTANCE - [interface] in .conf

Code: [Select]

Navigate to: VPN > WireGuard > Settings > Instances
Fields not mentioned = BLANK / Default

- ADD

Code: [Select]

| Field            | Value                        |
| --------------- | ---------------------------- |
| Name            | Instance Name                |
| Pub Key         | The one you generated        |
| Priv Key        | In downloaded .config        |
| Port            | 51820                        |
| Tunnel Address  | AddressInConf/32            |
| Disable Routes  | CHECKED                |
| Gateway         | Tunnel_Address (-1)*          |

* See note: OPnsense Docs - wireguard-selective-routing

- Save (don't apply yet)

3.2 WireGuard PEER - [peer] in .conf

Code: [Select]

Navigate to: VPN > WireGuard > Settings > Peers
- ADD

Code: [Select]

| Field               | Value                        |
| ------------------- | ---------------------------- |
| Name                | Peer Name                    |
| Pub Key             | In downloaded .config        |
| Allowed IPs         | 0.0.0.0/0                    |
| Endpoint Address    | In downloaded .config        |
| Endpoint Port       | 51820                        |
| Instance            | The one you set up earlier   |
| Keepalive internal  | 25                           |

- Save and hit apply

Code: [Select]

Navigate to: VPN > WireGuard > Settings > General- Enable WireGuard
- Verify tunnel is UP in VPN > WireGuard > Diagnostics


4.  Add an interface

Code: [Select]

Navigate to: Interfaces > Assignments > Assign a new interface
- Expand list and select the WireGuard interface
- Device wg1
   - ADD
   - SAVE (above)

- Click on the new interface (above)
   - Enable Interface: CHECKED
   - SAVE


5. Add a gateway

Code: [Select]

Navigate to: System > Gateways > Configuration
- ADD

Code: [Select]

| Field                           | Value                                             |
| ------------------------------- | ------------------------------------------------- |
| Name                            | GW name                                           |
| Interface                       | wg1                                               |
| Address Family                  | IPv4                                              |
| IP Address                      | .conf > [interface] > address (-1)*               |
| Far Gateway                     | CHECKED                                           |
| Disable Gateway Monitoring      | UNCHECKED                                         |
| Monitor IP                       | 10.64.0.1 or one of the DNS servers              |

* If .conf address is xx.xx.xx.10/32 you can use xx.xx.xx.9 - i.e. remove the subnet mask and subtract one from the last segment.

-  SAVE
-  APPLY


6. Firewall configuration
This configuration is as barebones as they come, modify it to your liking

Code: [Select]

Navigate to: Firewall > Aliases
- ADD

Code: [Select]

| Field             | Value                                          |
| ----------------- | ---------------------------------------------- |
| Name              | [selected hosts] - any name you want           |
| Type              | Host(s)                                        |
| Content           | Add the IP of each device you want to use WireGuard

- SAVE
- APPLY

6.1 FIRST rule: Route [selected hosts] traffic through the tunnel

Code: [Select]

Navigate to: Firewall > Rules > Floating
- ADD

Code: [Select]

| Field                | Value                          |
| -------------------- | ------------------------------ |
| Action               | Pass                           |
| Quick                | CHECKED                        |
| Interface            | Interface(s) where your [selected hosts] live
| Direction            | In                             |
| TCP/IP Version       | IPv4                           |
| Protocol             | Any                            |
| Source               | [selected hosts]               |
| Destination          | Any                            |
| Gateway              | WG Gateway                     |
|              Show Advanced Features                   |
| SET local tag        | NO_WAN_EGRESS                  |

- SAVE

6.2 SECOND rule: Kill switch
May not be needed depending on your configuration, better safe than sorry?

- OPNsense Docs: Kill Switch

6.3 THIRD rule: Route DNS traffic for [selected hosts]
This rule is optional,use for troubleshooting or with port forwards.

- ADD

Code: [Select]

| Field                | Value                          |
| -------------------- | ------------------------------ |
| Action               | Pass                           |
| Quick                | CHECKED                        |
| Interface            | Interface(s) where your [selected hosts] live
| Direction            | In                             |
| TCP/IP Version       | IPv4                           |
| Protocol             | TCP/UDP                        |
| Source               | [selected hosts]               |
| Destination          | A Mullvad DNS server: 100.64.0.X
| Dst Port Range       | DNS                            |
| Gateway              | WG Gateway                     |

- SAVE

6.4 NAT Rule: NAT WireGuard for [selected hosts]

Code: [Select]

Navigate to: Firewall > NAT > Outbound
- Change mode to Hybrid outbound NAT rule generation

- ADD

Code: [Select]

| Field                    | Value                                          |
| ------------------------ | ---------------------------------------------- |
| Interface                | WG interface                                   |
| TCP/IP Version           | IPv4                                           |
| Protocol                 | Any                                            |
| Source                   | [selected hosts]                               |
| Src Port                 | Any                                            |
| Destination              | Any                                            |
| Dst Port                 | Any                                            |
| Translation / Target     | Interface Address                              |

- SAVE
- APPLY to save all the firewall rules


7. Verify it's working as intended

- Add a device IP to the [selected hosts] Alias
- Use Mullvad Check
   - All three should be green

- API, Powershell

Code: [Select]

(curl https://am.i.mullvad.net/json).Content | ConvertFrom-Json

Thanks for reading!
Please educate me where there are misstakes!

[pete.magnusson]

Just a awesome amazing guide!
Works like a charm!
I just got one question if you dont mind.
Following these steps i get it working so i get my traffic over Mullvad and can access my "LAN" devices ( as per my Interface i selected in 6.1 ) but i am not able to connect to any of my "IOT" devices in a different vlan.
Do you have any recommendation for this?
Cheers

[maldito]

Awesome guide. I was 0-3 with the OPNSENSE docs guide. Finally got my selective routing going with your guide thought, thank you very much.

[Magician1981]

Greetings,

Any additional steps I need to take when using a vlan tag (interface) as the gateway since my ISP uses that for internet traffic over the fiber connection. When I add the mullvad gateway it stays red with 100% loss even after selecting it as the upstream gateway.

Thank you

Update:

When I use the same ip in the monitor ip section as the ip adress things light up green but the mullvad check does not pass. Tried different dns ip's to no avail.

[hushcoden]

If I understood properly, there is no need of rules within the actual Wireguard/VPN interface, but only in the interface where the hosts live, is that correct?

Tia.

[OCT0PUSCRIME]

Can I ask why your routing rule is different than the one in the OPNsense docs? They have a floating rule, direction out.

[colourcode]

Can I ask why your routing rule is different than the one in the OPNsense docs? They have a floating rule, direction out.

This guide is using the "Step 8 - Create a Firewall rule" rule: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-8-create-a-firewall-rule

I don't have my opnsense active at the moment. You'll be able to confirm whether it's working or not with the last step. You can easily add the rules from the wiki and see if it behaves differently after you've confirmed that selected routing is working.

Didn't manage to find any problems with this despite not using all the rules. All traffic I tested hopped the correct routes and was blocked where I wanted. Possibly something I missed that the other rules fixed. Going to need someone smarter than me to confirm.

If I understood properly, there is no need of rules within the actual Wireguard/VPN interface, but only in the interface where the hosts live, is that correct?

Tia.

The NAT and Floating rule should cover that.