Trouble with wireguard, vlans, and protonvpn

Started by sdsfgd, May 06, 2025, 02:58:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2025, 02:58:39 PM
Hi All,

Having some trouble with my wireguard configuration and can't figure out why is is not working. I have followed the WireGuard ProtonVPN Road Warrior Setup and looked at many other guides but can't get it to work correctly

The setup:
I have a few vlans, some that should go through the VPN, some that should not. They are organized in 2 firewall groups, IG_OUT_VPN, and IG_OUT_WAN. Up to here everything works correctly.

I then have 2 peer/instances in wireguard with ProtonVPN for IG_OUT_VPN. The expectation is that if one tunnel is down or slow, the 2nd should start working. IG_OUT_WAN is not affected and should continue to work no matter if tunnels are up or not and traffic does not go through the tunnels.

You cannot view this attachment.

Reality is everything stops working the second 1 tunnel goes down, even IG_OUT_WAN, and for the live of me, I cannot figure out why.

Lately it seems no matter the VPN conf I choose, one of the tunnels goes down. I have tried various Proton servers, but everyday now, no matter what I choose, one goes down. Once one is down, the internet connection stops for both IG_OUT_VPN and IG_OUT_WAN.

Below is my conf. I'm not sure where I went wrong. I have tried various changes but nothing seems to resolve the issue

Instance 1

Name: CH582
Public key: <generated from private key>
Private key: <private key>
Listen port: 51820
MTU: 1412
Tunnel address: 10.2.0.2:28
Peers: CH582
Disable routes: checked
Gateway: 10.2.0.1

Instance 2

Name: CH321
Public key: <generated from private key>
Private key: <private key>
Listen port: 51821
MTU: 1412
Tunnel address: 10.3.0.2:28
Peers: CH321
Disable routes: checked
Gateway: 10.3.0.1

Peer 1

Name: CH582
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH582
Keepalive interval: 25

Peer 2

Name: CH321
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH321
Keepalive interval: 25

Gateway 1

Name: VPN0
Interface: VPN0
Address family: IPv4
IP Address: 10.2.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255

Gateway 2

Name: VPN1
Interface: VPN1
Address family: IPv4
IP Address: 10.3.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255

Gateway group

WAN_DHCP: never
VPN0: Tier 1
VPN1: Tier 2

Trigger Level: Packet Loss and High Latency


Firewall Groups

IG_OUT_VPN: 2 vlans that should use vpn
IG_OUT_WAN: 2 vlans that should not go through vpn

Firewall rules IG_OUT_VPN

Protocol: IPv4 *
Source: IG_OUT_VPN net
Destination: !RFC1918
Gateway: VPN_GROUP

Firewall rules IG_OUT_WAN

Protocol: IPv4 *
Source: IG_OUT_WAN net
Destination: !RFC1918
Gateway: WAN_DHCP
May 06, 2025, 04:31:42 PM #1
I don't see any mistake but there has to be one somewhere.
May 08, 2025, 07:31:22 PM #2
Any advise on how I could debug the issue and figure out what is going on? Wireguard logs don't seem to say much
Would love to get at least the non-vpn networks to work correctly
May 09, 2025, 03:41:15 PM #3
So turns out it might have been a bug in opnsense 25.1.5, since upgrading to 25.1.6 the issue seems to have stopped, at least the tunnels are not dropping anymore.
Print
Go Up Pages1
User actions