Wireguard & Mullvad - I'm lost.....

[heri16]

I am trying to get an IPv6 gateway up but the default gateway settings only accepts an ip address like 1.2.3.4, but not an ipv6 address at the same time.

Is this feature missing?

[mimugmail]

Which exact field do you mean?

[mdbraber]

Thanks for these steps. They didn't work for me from the start, but when I changed Allowed IPs to "1.2.3.4/32,0.0.0.0/0" it worked (note the /0 with 0.0.0.0!)

[Ryssk]

Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running :)

Hi! I've tried to follow your instructions as you've mentioned. But somewhere along the way there seems to be a problem , and i think it's due to Firewall rules.

I just cant seem to be able to push my specific client through the Wireguard Interface by using the Gateway.

I've tried to reach you through IRC but i guess we're on different timezones and just going past each other at this point :)

Hopefully i can get in contact with you somehow, cause i know it's propably a simple and small step that i've missed along the way!

[Ryssk]

Here's the wg0 interface config, gateway setup, LAN rule and Outbound NAT rule

It's propably in LAN rule or Outbound NAT rule i've missed a certain setting.

[mimugmail]

Which network is LAN and what is the content of the Alias?

[Ryssk]

Which network is LAN and what is the content of the Alias?

If you mean by Network interface it's Vtnet1, if not it's 192.168.1.1 otherwise

Content of alias is just a single host, and that's 192.168.1.144 which is my laptop that i use for the purpose of only testing atm (easiest way for me to verify by using the Mullvad tool to check that it's using the VPN tunnel)

[ownerer]

I have a new issue with Wireguard/Mullvad policy-based routing.
I created a separate topic here (Policy-based Wireguard(/Mullvad): firewall rules ignored when gateway is down) as to not hijack this one.
But I thought I'd mention it at least.

[firewall]

Can you post screenshots of local server instance and linked endpoint?

1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

It's not that hard to get this running :)

i'm trying to understand why it's necessary to use public/routable IP, 1.2.3.4, for this setup, and moreover, why that's the only solution. it seems like a hacky (if not dangerous) approach. 

[mimugmail]

Because OPNsense needs an IP as Gateway but WireGuard uses just a destination interface. You can also use a private unused IP

[murmelbahn]

Ok.....

So this is unfortunate.....

I broke my first rule of documenting stuff and backing it up  before doing anything else.  Unfortunately, I suffered a power cut to the house not long after mimugmail was kind enough to teamviewer in and help with this.

My config got hosed and I'm trying to recreate it, but am completely unable to resolve any addresses.

I did save the messages between myself and mimugmail at the time, so all is not lost, so if anyone else wants to try this here are the brief instructions.

In sum, pick a random IP like 1.2.3.4, add it to endpoint in addition to 0.0.0.0, add it to gateway in local instance and hit disable routes, assign wg interface, add a gateway with ip 1.2.3.4 and far gateway, then create firewall rules with 1.2.3.4 as gateway.

Wow thank you man! This was really helpfull. Finally I'am able to create rules for devices to use Mullvad! Thanks!

[keviiin]

Hello guys, could anyone send  the final configuration file/screenshots of all modified settings please?

I still can't get it working...

Thanks in advance !

Kevin

[rtester]

There's an official guide at https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html that seems to work for me. Screenshots of my config attached. Ignore the fact that my default allow rule allows to everything but this firewall, the different naming or the fact it's on an entirely seperate interface from LAN. This is specific to my configuration and is to prevent PCs on the VPN network from accessing any possible administration interface. Other than that, this seems to work without leaking for me. If anyone knows how to change my configuration to allow failover (multiple wireguard VPNs, etc) that would be nice. So far I have a static route for the first VPN, and I'm assuming to use two different routers I need to add a static route for the other router (not connected yet) to connect to another VPN over the second WAN.

Does anyone know if the same key for Wireguard works on multiple servers at the same time, or the effects of doing so? Unsure if traffic can cross from one WG peer to another in the same group, and would rather not risk it. If it doesn't, and the same key does work, I could probably get away with the same rule for two or more WG connections on the same router.

PS:
If you need the wireguard port for mullvad, try connecting to the exact same server you plan to connect your OPNSense to in the official client and see what port it uses on "IN"

When running this command from the tutorial:

Code Select Expand

curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey=pubkey
Do it like this instead to escape the pubkey, as it might contain symbols that confuse the shell:

Code Select Expand

curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey="pubkey"

Also, you'll probably need to enable SSH with pubkeys to access the shell (and make sure it only listens on LAN). Couldn't find it in the web interface.

[murmelbahn]

One more thing I have to ask. Everything is working now with my setup - thanks to this topic. But one little thing is to improve. How can I configure that a client which is using the VPN gateway does not get any connection to the internet if the gateway is down?

[cyrus104]

I would also like check for anyone with full pictures of the configs minus their key info.

Like the majority of people here I've been running all my traffic or individual VLANs through an OpenVPN server and don't have an issue with it. I've tried to follow the guides listed in the manual and have several issues with things missing or labeled wrong.

The manual below doesn't say anything about the Interfaces section or the Gateways:Single section.
https://wiki.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

For instance in the NAT Outbound rules you are told to use the Interface: Wireguard... what's the different between this interface that exists that I can't see anywhere else and the actual Interfaces interface with a name that was given like "Mullvad_Wireguard" which also shows up in the list.

I also have the named "Mullvad_Wireguard Interface in the Firewall:Rules and the "WireGuard", not sure what this means or where it comes from as I'm looking at having multiple Wireguard connection which will need different rules.

From the manual: "To do this, go to System %u2023 Gateways %u2023 Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic." In Gateways:Single there is no option to set it as Dynamic.. maybe meaning in the actual interfaces section.

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.