Help Getting Proton VPN Wireguard Working

[opnsense1]

I got my Protectli Vault setup and have been trying to get ProtonVPN working on it as a whole router VPN. As far as I can tell, I have followed this guide to the letter. I went through it three times with no success - nothing on the network works unless I actually turn on the VPN from a specific device through Proton's app so not how it is supposed to be. Even when I try to check for updates under System > Firmware > Status, I get `No address record found for the selected mirror.` when it was working before all of the VPN shenanigans.

In the VPN: WireGuard: Status dashboard, it says the status is `up` and I have ~200MB sent and ~4GB received I assume from the videos I was watching on a device with my workaround of still using the Proton VPN app. Also reassuringly, under System: Gateways: Configuration and the gateway I made for the VPN, it has a RTT of 140ms, RTTd of 2.1ms, Loss of 0.0%, and Status is a green online plug.

On step 7 of the part two of the guide, I did some inferring as it is a bit vague which is maybe where I went wrong? Before I get more complicated, I just want every device on the network to use the selected VPN by default. With that in mind, I decided to select `Network(s)` from the "Type" dropdown of the alias and for "content", I chose `__lan_network` because I assume that means I am targeting all LAN devices for the alias group to be routed through the VPN. Am I misunderstanding this menu?

This is what my RFC alias looks like:


This is an overview of my Firewall: Rules: LAN page to show that I payed attention to the ordering of the rules:


And my floating rules overview as well:


My outbound NAT rules:


I did follow the instructions for preventing DNS leaks from guide part 1 and enabling the kill switch as well. I'm pretty sure there's a mistake in the kill switch part - it says to edit the firewall rule from step 7 but step 7 was creating an alias so I assumed they were actually referencing the rule from step 8 so I added `NO_WAN_EGRESS` into the "Set local tag" field of my Firewall: Rules: LAN rule that is seen at the top of the list in my second screenshot. I then put the second rule that catches those tagged packets from the bottom of screenshot 3.

Any ideas where I'm going wrong? I tried to include enough context and images to be helpful but not overly detailed - if any deeper screenshots or details are needed for a specific field, please let me know. Thank you!

[opnsense1]

New info, this is what I get when I try to ping a website that I tested works when the VPN is enabled through its app:
```
bazzite:~$ ping brave.com
ping: brave.com: Temporary failure in name resolution
bazzite:~$ ping 2600:9000:2209:5000:6:d0d2:780:93a1
PING 2600:9000:2209:5000:6:d0d2:780:93a1 (2600:9000:2209:5000:6:d0d2:780:93a1) 56 data bytes
^C
--- 2600:9000:2209:5000:6:d0d2:780:93a1 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 18418ms
```

I was hoping it was maybe just a DNS issue but just no devices can reach the internet on my network now without their own VPN enabled.

Also, this is my interface chart - shouldn't WAN be nonexistent if the VPN is working correctly?

[opnsense1]

Fixed! I had been using my network in what I thought was the broken state that required an on-device VPN to work, however I noticed that for some reason my Steam Deck was working fine. It was just my PC, laptop, phone, and tablet that all run Android and Linux having issues. Turns out they couldn't figure out the DNS servers automatically and Android made it very difficult to fix because I had already tried messing with Private DNS settings during my troubleshooting but even with it off (you can't choose an IP address in this menu, only domains like google.dns or one.one.one.one) no go. You also can't do it simply through editing the network settings. You have to edit a network, click advanced, change IP settings to Static and then you can choose your own DNS server which was 10.2.0.1 for my Proton VPN config. Linux was more straightforward and didn't force me to make my IP static as well. 🤩

Now to figuring out how to change the VPN settings for a few devices, ex. a gaming VPN config with closer servers and better NAT settings.

EDIT: Last piece of the issue solved that I forgot about - checking for updates in opnsense wasn't working. You have to go to System: Settings: General and set the DNS server there!!! Putting 10.2.0.1 and selecting my VPN gateway then clicking save at the bottom worked like a charm! This also seems to remove the need to mess with settings on Android & Linux, doh! So just do that and everything should smooth out. Never saw mention of it in all the tutorials that I looked at.