Why does my VPN Gateway say "Offline" with 100% packet loss

Started by 0x9060, January 13, 2025, 06:31:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2025, 06:31:07 PM
I'm using a Wireguard config from ProtonVPN.

I started by setting up an interface and a peer in OPNSense WG, following this guide: https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html

Then, wanting to route all traffic on OPT1 through my external ProtonVPN service, I followed this guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html. Some steps here are redundant, but I read through it all to make sure I understand. I also performed the Optional Step 11 in this guide (Add a kill switch). I did not do the "Configuring IPV6" step. Nor did I do the "Dealing with DNS Leaks" step, as I am using ProtonVPN's DNS.

Everything seems to be working well. All my devices connected to OPT1 seem to be routing through ProtonVPN (`curl ifconfig.me` shows a different public IP), and all my devices connected to LAN are not routing through the VPN - which is as I intended. I achieved this by (per Step 8), adding a firewall rule to OPT1 to allow hosts to access to VPN tunnel, and putting this at the top of the firewall rules list. For completeness, I did not do this for LAN.

Although everything seems to be working as intended, my Gateways widget on the dashboard shows my ProtonVPN gateway that I created is "Offline", with 100% Loss. Why could this be? I'm worried that I might have configured something incorrectly.
September 01, 2025, 12:36:55 AM #1 Last Edit: September 01, 2025, 06:26:05 PM by Gerbil
I know this is a bit old, but did you ever get this sorted out?

I have been testing this kind of set up and found your post among my searches. I have some feedback that might help you or others searching the same sorts of issues.

I followed some processes from a YouTube video from channel What's New Andrew, titled "Sign in Always-On VPN with OPNsense & Mullvad: An Easy Step-by-Step Guide"
https://youtu.be/fFszlJpTBoc

He's using Mullvad in his example but it shouldn't make a difference.


I think the main difference, which it counter intuitive for me, is that he created the VPN Peer first, and then created the Instance from that.
This will probably solve your "offline" problem because it's your peer that is offline and the instructions you followed didn't document how to link them.

Another thing that may be documented that I missed, is to ensure to create an Outbound NAT rule for WireGuard(Group) to allow traffic. Then you can create your LAN rules for using the VPN instance you created.


These things got everything up and running.
My current issues are that I still get packet loss, around 13%-16% on average. Seems excessive to me.
I also get NAT Type 3 on my gaming consoles, despite having Proton's "Moderate NAT" setting on.
But it is working overall.


Edited: some typos


Print
Go Up Pages1
User actions