Wireguard & Mullvad - I'm lost.....

[Greelan]

That said, it does seem a little odd that you can’t have multiple simultaneous connections with your vpn provider. And those Allowed IPs seem pretty restrictive. What are overall trying to achieve? Maybe the issue is more with your firewall and outbound NAT rules

[DerTom]

Try CIDR notation, eg 1.2.3.4/32?

Hi Greelan!

Added the /32 and restarted the firewall... but no success, Gateways are still marked offline.

[DerTom]

That said, it does seem a little odd that you can’t have multiple simultaneous connections with your vpn provider. And those Allowed IPs seem pretty restrictive. What are overall trying to achieve? Maybe the issue is more with your firewall and outbound NAT rules

That what I want to achieve is that there is only one vlan connecting to the internet by one of this vpn connections. Stuff, that should have an US-IP should use the wg-connection with a us-server and so on. According to firewall-rules for every vlan-interface (10.10.0.1/24 and 10.10.1.1/24) there are two rules
#1 within your vlan everything is allowed
#2 everything that has a destination that is not the firewall has to use the specified gateway

It's for streaming stuff. Netflix should use the US-server and NFL-Gamepass shouldn't.

[Greelan]

OK, then you should leave Allowed IPs as 0.0.0.0/0, and simply set up the firewall rules and outbound NAT for each VLAN to use the relevant gateway. There was a topic recently where someone did essentially the same thing - I will dig it out

[Greelan]

This is it: Multiple Wireguard VPN Clients
 https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=20494&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D20494&share_type=t&link_source=app

Again, the key is configuring the firewall rules and outbound NAT so that they are specific to the particular VLAN you want to use the relevant interface and gateway. It’s really an expansion of the idea of configuring a specific IP to use the VPN (which is discussed by me in a topic linked in the above topic) - instead of a single IP, you are wanting a single subnet

[Greelan]

As an aside, I get the sense that what “Allowed IPs” means may be confusing you. Allowed IPs are not the IPs that are permitted on the local side to access the endpoint through the tunnel. Rather, they are the IPs that able to be accessed through the tunnel via the endpoint, by whatever IPs on the local side are otherwise configured to use the tunnel by routes/firewall rules. Think of it as - “what IPs do I want to reach through the tunnel?”

[DerTom]

OK, then you should leave Allowed IPs as 0.0.0.0/0, and simply set up the firewall rules and outbound NAT for each VLAN to use the relevant gateway. There was a topic recently where someone did essentially the same thing - I will dig it out

By the time I set the allowed IPs to 0.0.0.0/0, only the first wg-connection gets an IP from the vpn-provider...

[DerTom]

As an aside, I get the sense that what “Allowed IPs” means may be confusing you. Allowed IPs are not the IPs that are permitted on the local side to access the endpoint through the tunnel. Rather, they are the IPs that able to be accessed through the tunnel via the endpoint, by whatever IPs on the local side are otherwise configured to use the tunnel by routes/firewall rules. Think of it as - “what IPs do I want to reach through the tunnel?”

OK, I would like to allow the Gateway access through the tunnel (1.2.3.4) and what else? I don't know the IPs on the vpn-provider-side. I do just have the endpoint-IP. Do I have to create a NAT-rule?

This is it: Multiple Wireguard VPN Clients
 https://r.tapatalk.com/shareLink/topic?share_fid=197904&share_tid=20494&url=https%3A%2F%2Fforum%2Eopnsense%2Eorg%2Findex%2Ephp%3Ftopic%3D20494&share_type=t&link_source=app

Again, the key is configuring the firewall rules and outbound NAT so that they are specific to the particular VLAN you want to use the relevant interface and gateway. It’s really an expansion of the idea of configuring a specific IP to use the VPN (which is discussed by me in a topic linked in the above topic) - instead of a single IP, you are wanting a single subnet

I followed the thread and https://imgur.com/gallery/JBf2RF6... nothing changed.
- both tunnels do exist / handshake is made
- both tunnels get their IP by the vpn-provider
- wireguard-go is 'green'
- dpinger Gateway wg0 is 'green'
- dpinger Gateway wg1 is 'green'
but I still do have 100% Loss shown for the gateways...!? Is it, that there is an IP for the dpinger that I have to allow? There is no NAT-rule shown!?

[DerTom]

I don't know what happened... I tried 0.0.0.0/0 as an allowed IP again and it seems to work... At least the Gateways are 'Online'.

Magic - and I don't like magic, I don't understand...

[SFC]

Just as a head up, you absolutely don't need to use 1.2.3.4 and I would strongly suggest you don't, given that's a "real" IP address.  You may run into issues in the future - plenty of people found out the hard way when cloudflare started using 1.1.1.1 as a public DNS server.  I'd suggest picking something from the official private network address space that doesn't conflict with your existing LAN.

So if you're using 192.168.x.x at home, use 172.16.0.1/32

https://en.wikipedia.org/wiki/Private_network

You do *NOT* need to put this in the allowed IP addresses if you put in 0.0.0.0/0. 

0.0.0.0/0 means every IPv4 address possible.  Putting in a second IPv4 address is redundant.



Also one other note, if you're on a PPPoE WAN connection, you need to crank your MSS down to 1300. 

Firewall > Settings > Normalization

[Nekromantik]

having issues with this too
I got it setup using the 1.2.3.4 method for the GW.
The GW is green with health check against 1.1.1.1.
I can see packets from LAN going to WG Interface but no return traffic.
My client looses all internet access.
My FW rule is as below:

[Nekromantik]

solved it
had to remove the 1.2.3.4 from allowed networks and then put my client IP in NAT rule

[The_Dave]

I also have the problem that my wireguard gateways shown down and there are packages sent by the interface but not received. I configured everything as explained in this guide:
https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/

I really hope someone can give me a hint how to get this working. My wan receives an ip from the isps router via dmz if that's relevant