Wireguard & Mullvad - I'm lost.....

[chbmb]

Ok.....

So this is unfortunate.....

I broke my first rule of documenting stuff and backing it up  before doing anything else.  Unfortunately, I suffered a power cut to the house not long after mimugmail was kind enough to teamviewer in and help with this.

My config got hosed and I'm trying to recreate it, but am completely unable to resolve any addresses.

I did save the messages between myself and mimugmail at the time, so all is not lost, so if anyone else wants to try this here are the brief instructions.

In sum, pick a random IP like 1.2.3.4, add it to endpoint in addition to 0.0.0.0, add it to gateway in local instance and hit disable routes, assign wg interface, add a gateway with ip 1.2.3.4 and far gateway, then create firewall rules with 1.2.3.4 as gateway.

[spants]

I'm still having problems getting this running ...... anyone have a step-by-step ready for this I would be grateful!

[chbmb]

Where have you got to with it?  Perhaps we can figure it out together?

[spants]

Thanks for the offer.... I just got it working.

I made a stupid mistake: in the servers list, I used the multihop Port instead of the standard port!
Juts now changing all my Rules to use Wireguard instead of PIA

Thanks again for the offer of help.

[chbmb]

Thanks for the offer.... I just got it working.

I made a stupid mistake: in the servers list, I used the multihop Port instead of the standard port!
Juts now changing all my Rules to use Wireguard instead of PIA

Thanks again for the offer of help.

Well if you'd care to share, I still can't get it working! 

[spants]

sent a pm - let me know if it make sense and works first so that we can do a proper writeup!

[chbmb]

Will do.  I'm clearly missing something.   I'm getting very close to a nuke and pave.

[ownerer]

Typical, I reply to a thread I found via google, only to find this thread afterwards...

Another one here trying to get this to work!
Anxiously waiting to see that write-up guys!

[mimugmail]

Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running

[ownerer]

It's not that hard to get this running

Well that's what I would expect, yes! 

But I have done all of this over 10 times already, to no avail. Traffic simply. will. not. pass.
I've tried creating the interface both without and with IP address (the local tunnel address), nothing.
(note btw that you have restart the Wireguard service after creating the interface. If I don't and I try to create the gateway on the interface, I get an error saying no valid IPv4 config was found on the interface...)

And it's not like I haven't done this before.
I have policy based routing set up and working with PIA, monitored gateways, failover etc

So why this won't work is beyond me 

So perhaps it's best to really take the Wireguard for Dummies approach here and start at the very beginning:
Is there any way to verify that the tunnel is actually up, regardless of routing?

Edit: requested screenshots

[zgQTSf2PHyHt]

I spent a few hours trying to get this to work with no success. I currently have manual policy routing with OpenVPN on a subset of VLANs, and I only managed to get that working by pushing routes in the custom options field. I followed all the available advice and forum posts and also mirrored my known good OVPN VLAN FW rules, NAT, gateway settings, ect with no success.

What's the deal with this? 

[mimugmail]

@ownerer: if you want to start from scratch, disable OpenVPN stuff and do a packet capture on the WG interface to check if packets are traversing the tunnel. I need screenshots of FW rules and outbound NAT. The interface has to be with no ip configuration and if you touch it you need to restart wireguard

[chbmb]

@ownerer: if you want to start from scratch, disable OpenVPN stuff and do a packet capture on the WG interface to check if packets are traversing the tunnel. I need screenshots of FW rules and outbound NAT. The interface has to be with no ip configuration and if you touch it you need to restart wireguard

Hi mimugmail, I think a few of us are finding this more difficult than expected.  I'm a bit tied up at the moment as very busy at work and second child arriving fairly soon, I was wondering, would it help if I donated a month or two of Mullvad to you?  If nothing else so you can illustrate the firewall rules required, Let me know and I'll quite happily do so.

[ownerer]

Sooooooo, this is embarrassing...

Mullvad used to offer 3 hour trial accounts, turns out they aren't anymore.
Yours truly here was testing with an unpaid account under the assumption that those trials were still being offered. 

I only realized they weren't anymore when I stopped trying to get it to work on OPNsense and decided to test a single Windows client first instead.
Sigh.

You know what they say: assumptions are the mother of all f***ups.

So anyway, just wanted to share that piece of wisdom, and confirm that policy-based routing IS indeed working the way mimugmail has been trying to tell us. (sorry man!!)
I didn't have to do anything special.

I personally have it set up now with gateway monitoring in a gateway group as Tier 1, with PIA OpenVPN serving as a failover in Tier 2.

But to re-iterate the setup for those interested:

• Set up Mullvad endpoint (public key, allowed IPs + 1.2.3.4, endpoint address & port)
• Set up local endpoint (private key, tunnel address, DNS, "disable routes", gateway IP 1.2.3.4)
• Assign an interface to wg# (enable, lock, no IP config)
• Restart Wireguard service (or you will get an error when trying to create the gateway)
• Create gateway on the newly created interface (IP 1.2.3.4, check "far gateway", optionally enable monitoring (I'm using cloudflare's 1.1.1.1))
• Create a NAT rule on the Mullvad interface for your LAN network
• Create a firewall rule for your LAN interface directing (selected) traffic to the Mullvad gateway (or the group in my case)
• All done!

Hope this helps someone! 

[mimugmail]

Mostly the reason why it doesnt work is an additional OpenVPN where the settings "dont pull routes" or "dont add routes" is not correctly set