Wireguard & Mullvad - I'm lost.....

[chbmb]

So I recently migrated to OPNsense from Pfsense, I'm very impressed and glad I made the switch.  I've been experimenting with WireGuard a fair bit and have written a couple of blog posts on my progress so far with an OPNsense WireGuard "server" and Android and Ubuntu desktop "clients", so my next step was to try and setup Mullvad as the "server" and OPNsense as the "client"

I've been referencing the guides below:

https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html
https://wiki.opnsense.org/manual/how-tos/wireguard-client-azire.html
https://www.routerperformance.net/opnsense-wireguard-plugin-azirevpn/

I can get the tunnel up, as evidenced here. (wg1, wg0 is my "WireGuard server for connection to my LAN remotely." and am using a custom port to receive the incoming connection.









(If I do not disable routes then I find all my internet access from LAN disappears.)

Undeterred I figured some manual routing would work and give me more granular control over things, so I created an interface.



and added a firewall rule



But traffic is still going out over WAN, rather than the Mullvad interface.  I tried to create a gateway, as shown here



and can manually bring it up, by clicking on the grey arrow, although I'm not sure how having the gateway really changes anything given my existing NAT rule.



I'm obviously missing something, but I'll be damned if I know what, and if anyone can give me some pointers I'd be very grateful indeed.

Sorry for the lengthy post/pictures, but figured it would be better to have too much information, rather than not enough.

Thanks

C

[mimugmail]

You need to put an IP address into gateway and also add this IP in gateway field in local instance. Then you can do routing via Firewall rules

[chbmb]

You need to put an IP address into gateway and also add this IP in gateway field in local instance. Then you can do routing via Firewall rules

Forgot to mention that I'd tried that and got the error message:

"The gateway address "10.249.0.1" does not lie within one of the chosen interface's IPv4 subnets."

So the thing that confuses me, is which IPV4 subnet is applicable to the Mullvad interface?  Another IP in the same range as the tunnel address?

[chbmb]

Ah, OK, added the IPV4 tunnel address on my local Mullvad WireGuard instance as the Gateway IP.  That worked.

I'm still not getting my traffic routed over the interface though, so presumably I need to add another rule in somewhere?

[mimugmail]

Firewall rule in LAN tab and add there the mullvad gateway

[chbmb]

Sorry, I'm probably being stupid here, I've tried doing as you suggested.  Something happens, basically any traffic in my browser is redirected to my OPNsense install.   

I've put a gateway IP into the local instance
(Doesn't work if I leave out the /32 - tunnel doesn't come up or show in "List configuration")

Local Instance



Endpoint



List Configuration



I've created the interface for Mullvad



And then a gateway with the assigned IP of the tunnel address of the local instance





So I think everything up to this point is good. 

I'm going to guess it's the following bits that have me confused, as I'm clearly missing something, and I'm sure those wiser than me will laugh at my mistake......

I've got an Outbound NAT rule



A Mullvad NAT Rule



And finally a LAN Firewall Rule (deactivated at the moment as enabling it results in everything redirecting to my OPNSense address. 



Really appreciate the advice.  Sorry for another lengthy post.

[actionhenkt]

I have tried to get this working with mullvad aswell, got it working once for 10minutes. I will try again this weekend if I can get it stable I can share the configuration with you.

I noticed you use hybrid nat on your wan and your source on it is any, the auto nat rules also contain your mullvad interface on wan, im not sure the manual nat rule for the mullvad interface will work here.. have you tried manual outbound nat ? I would also then remove the source "lan net" from your lan rule and make it source any and put the mullvad gateway back into your lan in rule to test if it works at all (if it does you can try an alias containing ip's as source next). You could also try to set a local tag on the lan in rule and match the tag on the outbound nat rule for the mullvad interface (in a manual nat configuration).

[chbmb]

I have tried to get this working with mullvad aswell, got it working once for 10minutes. I will try again this weekend if I can get it stable I can share the configuration with you.

I would be very grateful.   

I noticed you use hybrid nat on your wan and your source on it is any, the auto nat rules also contain your mullvad interface on wan, im not sure the manual nat rule for the mullvad interface will work here.. have you tried manual outbound nat ?

I haven't tried manual outbound NAT, I thought with hybrid that rules were applied in order from top down.

I would also then remove the source "lan net" from your lan rule and make it source any and put the mullvad gateway back into your lan in rule to test if it works at all

Unfortunately, it still didn't work

(if it does you can try an alias containing ip's as source next). You could also try to set a local tag on the lan in rule and match the tag on the outbound nat rule for the mullvad interface (in a manual nat configuration).

It's my end intention to make it a bit more granular in terms of clients that use the Mullvad tunnel, just figured making it as simple as possible to start with.

Not that it's been as simple as I'd originally hoped.....

Thanks for the reply, if nothing else it's reassuring to know others have had difficulty too....

[tusc]

Count me as another user trying to get wireguard to work with policy based routing. I tried months ago with no luck. Hopefully someone figures it out.

[chbmb]

Count me as another user trying to get wireguard to work with policy based routing. I tried months ago with no luck. Hopefully someone figures it out.

Well that's three of us that are struggling!  If nothing else you've made me feel better about not being able to get it working.

Perhaps I'm not quite as dumb as I thought!   

[mimugmail]

Can you ping me via IRC? I can have a look via Teamviewer

[chbmb]

Can you ping me via IRC? I can have a look via Teamviewer

Yeah, will do when I get back from work and we'll try and work out a time.  Thanks for that!

Sent from my Mi A1 using Tapatalk

[spants]

Count me in as another user trying to do the same!.
I have everything running on PIA OpenVPN (including routing for ports/devices) but wanting to switch to Mullvad Wireguard after the recent news.....

I have the wireguard server running on my opnsense - it's awesome!

(hi CHBMB - from another unraid guy!)

[mimugmail]

I fixed it with him, he will write a guide

[chbmb]

Count me in as another user trying to do the same!.
I have everything running on PIA OpenVPN (including routing for ports/devices) but wanting to switch to Mullvad Wireguard after the recent news.....

I have the wireguard server running on my opnsense - it's awesome!

(hi CHBMB - from another unraid guy!)

Hello mate, I recognise the name!

I fixed it with him, he will write a guide

You did, I'm still fiddling with a few things which I think are DNS related.  But yeah, definitely able to get stuff routed down the tunnel now.