Failover-Setup with Mullvad (Wireguard) does not work

[willi93]

Hey guys,

I'm trying to setup two wireguard connections to use as a failover. First I setup a single wireguard connection to my provider (mullvad) sticking to this tutorial:

Everything works fine with only one tunnel (Mullvad_NL). Even the killswitch does work great.

However I would like to add a second tunnel (SUI) in case the first one (NL) eventually goes offline at anytime. So I setup the second instance, assigned the interface and created the gateway. The only thing that is different to the config file from mullvad is that i can not use the same gateway ip (10.64.0.1) because it is already in use for the first tunnel. So i changed that into 10.64.0.2. As you can see both connections are up and running.

I believe that there is some kind of a DNS problem, because i can ping e.g. 1.1.1.1 from the VPN machine on the alias, but can't reach any website.

As soon as i remove the second gateway, disable the second wg interface and disable the second wg instance, everything works perfectly fine again.

I took some screenshots of my config: Screenshots

Do you have any idea for a solution to my problem?

Thank you very much for your help :)

[FredFresh]

Hi,

I have implemented what your asking for, but with Proton VPN.
Are you sure that MullVPN allow to create multiple tunnel from the same IP (I think I red something time ago but not fully sure).
There is a specific reason why you added a Monitor IP to the main WAN connection (WAN_GW)?
How do you route the connections through the VPNs? Did you implement specific rules in the firewall or are you relying on the gateway priority?
Personally, I found GW group very buggy (at least with wireguard connections), I implemented a different setup.

Have a look to the above questions, but I strongly think that your main issue is the NAT rule (your last pic) using the GW_Group: try create two instances one for each wireguard connection, keeping the same priority order used in the GW group. Also Use the same priority order between the GW group and the gateway page.

[granute]

As soon as i remove the second gateway, disable the second wg interface and disable the second wg instance, everything works perfectly fine again.

I took some screenshots of my config: Screenshots

Do you have any idea for a solution to my problem?

Thank you very much for your help :)

That is hands-down the best and most up-to-date tutorial I have found on the topic. However, like you, mine breaks when I try to add a 2nd tunnel -- eventual goal is LB over multiples.

The biggest difference I see between the linked tutorial and some of the other guides I have found is that Andrew is using the IP address of what is listed as the DNS server in the WG config. Multiple Gateways with the same gateway IP address is not going to work. OPN won't even allow that as a config.

So I'm investigating if that is actually the correct way to set the gateway IP.

[granute]

So I'm investigating if that is actually the correct way to set the gateway IP.

Going off of what is in the official docs, I did not use the DNS server's IP address as the gateway. I instead did the -1 trick off of the Tunnel Address used in the WG Instance setup. However, the docs say to enter the -1 address in the Instance config itself and in newer OPN versions that setting is actually in the Gateway setting under IP Address.

I find this part of the setup to be really confusing. Particularly in the docs where it says that IP address is essentially arbitrary. I cannot figure out why I cannot get Gateway Monitoring to work using the Endpoint Address.

Also, even if I Reset State, I often have to reboot the firewall in order to get the firewall to route traffic out any of the WG tunnels.

For reference, I seem to be able to LB across 3 different Mullvad tunnels now. That may sound excessive however I'm playing region + ASN routing games with various sites and this is the most simple solution I have been able to formulate.

[_Dave_]

You can use multiple gateways with the same IP address. I created a guide here https://forum.opnsense.org/index.php?topic=45163.0 which may help.

[bringbacklanparties]

Hey willie93,

Newbie here. I couldn't view screenshots here because Imgur blocked my VPN and also didn't state the reason I couldn't view the images. I thought it was an issue with my browser. Then I edited your URL link like so and everything worked. So I can finally view your screenshots and reply.

That tutorial you referenced is helpful. In case you haven't seen it, for failover also check out this walkthrough by Christian McDonald, which is for PfSense but works just great with OPNSense. He talks through his selection of the gateway address. He also explains why you need to use two separate Mullvad devices to generate configuration files for each VPN peer and instance (which you've done, since the tunnels are different). For the gateway, I've had luck using the tunnel address plus an offset as granute and McDonald suggest. For the gateway monitoring, I first created static routes to the public VPN endpoints as explained in landinggear's walkthrough that modifies this official tutorial for use with pushing Unbound DNS traffic out the VPN tunnels. That worked for me with using Unbound in forwarding mode, although more recently I'm encountering issues that look a lot like bugs in default gateway switching and monitoring when using both Unbound DNS in resolver mode and setting up failover.

Anyway, I think if you're getting Mullvad to resolve your DNS traffic for you, that walkthrough by landinggear should do the trick!

[bringbacklanparties]

See also here for how to set up the routes to the endpoints.

[bringbacklanparties]

Also here's a Reddit post describing why not to use DNS service IP addresses to ping the gateway monitors, and here's a person who succeeded at that task and who describes why you have to enable default gateway switching and set the VPN gateways in the gateway group as upstream and higher priority (i.e., lower priority number).

(Doing some reference organizing over here.)