Failover-Setup with Mullvad (Wireguard) does not work

[willi93]

Hey guys,

I'm trying to setup two wireguard connections to use as a failover. First I setup a single wireguard connection to my provider (mullvad) sticking to this tutorial:

Everything works fine with only one tunnel (Mullvad_NL). Even the killswitch does work great.

However I would like to add a second tunnel (SUI) in case the first one (NL) eventually goes offline at anytime. So I setup the second instance, assigned the interface and created the gateway. The only thing that is different to the config file from mullvad is that i can not use the same gateway ip (10.64.0.1) because it is already in use for the first tunnel. So i changed that into 10.64.0.2. As you can see both connections are up and running.

I believe that there is some kind of a DNS problem, because i can ping e.g. 1.1.1.1 from the VPN machine on the alias, but can't reach any website.

As soon as i remove the second gateway, disable the second wg interface and disable the second wg instance, everything works perfectly fine again.

I took some screenshots of my config: Screenshots

Do you have any idea for a solution to my problem?

Thank you very much for your help :)

[FredFresh]

Hi,

I have implemented what your asking for, but with Proton VPN.
Are you sure that MullVPN allow to create multiple tunnel from the same IP (I think I red something time ago but not fully sure).
There is a specific reason why you added a Monitor IP to the main WAN connection (WAN_GW)?
How do you route the connections through the VPNs? Did you implement specific rules in the firewall or are you relying on the gateway priority?
Personally, I found GW group very buggy (at least with wireguard connections), I implemented a different setup.

Have a look to the above questions, but I strongly think that your main issue is the NAT rule (your last pic) using the GW_Group: try create two instances one for each wireguard connection, keeping the same priority order used in the GW group. Also Use the same priority order between the GW group and the gateway page.

[granute]

As soon as i remove the second gateway, disable the second wg interface and disable the second wg instance, everything works perfectly fine again.

I took some screenshots of my config: Screenshots

Do you have any idea for a solution to my problem?

Thank you very much for your help :)

That is hands-down the best and most up-to-date tutorial I have found on the topic. However, like you, mine breaks when I try to add a 2nd tunnel -- eventual goal is LB over multiples.

The biggest difference I see between the linked tutorial and some of the other guides I have found is that Andrew is using the IP address of what is listed as the DNS server in the WG config. Multiple Gateways with the same gateway IP address is not going to work. OPN won't even allow that as a config.

So I'm investigating if that is actually the correct way to set the gateway IP.

[granute]

So I'm investigating if that is actually the correct way to set the gateway IP.

Going off of what is in the official docs, I did not use the DNS server's IP address as the gateway. I instead did the -1 trick off of the Tunnel Address used in the WG Instance setup. However, the docs say to enter the -1 address in the Instance config itself and in newer OPN versions that setting is actually in the Gateway setting under IP Address.

I find this part of the setup to be really confusing. Particularly in the docs where it says that IP address is essentially arbitrary. I cannot figure out why I cannot get Gateway Monitoring to work using the Endpoint Address.

Also, even if I Reset State, I often have to reboot the firewall in order to get the firewall to route traffic out any of the WG tunnels.

For reference, I seem to be able to LB across 3 different Mullvad tunnels now. That may sound excessive however I'm playing region + ASN routing games with various sites and this is the most simple solution I have been able to formulate.

[_Dave_]

You can use multiple gateways with the same IP address. I created a guide here https://forum.opnsense.org/index.php?topic=45163.0 which may help.