Wireguard & Mullvad - I'm lost.....

[cdine]

[...]

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.

I'm at the same spot - everything on the Wireguard side is working, but I cannot get traffic to route to it via policy routing, and the opnsense gateway responds to pings/etc when I would expect those packets to traverse Wireguard, for example:

Code Select Expand


$ netstat -nr -f inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 ens192
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens192


$ ping 8.8.8.8 -c1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.201 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.201/0.201/0.201/0.000 ms


Have others who ran in to this figured out what the issue is? I haven't seen this behavior using similar setups with OpenVPN and the like.

[sleepnow75]

[...]

When I ping something like 1.1.1.1, my VLAN gateway response with a positive ping result. I'm not sure but guessing that I have a NAT issue.

I'm at the same spot - everything on the Wireguard side is working, but I cannot get traffic to route to it via policy routing, and the opnsense gateway responds to pings/etc when I would expect those packets to traverse Wireguard, for example:

Code Select Expand


$ netstat -nr -f inet
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 ens192
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens192


$ ping 8.8.8.8 -c1
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.201 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.201/0.201/0.201/0.000 ms


Have others who ran in to this figured out what the issue is? I haven't seen this behavior using similar setups with OpenVPN and the like.

You're not alone --  I'm experiencing the same symptoms.  Have yet to find a solution.   

It appears to work fine if you untick 'Disable Routing' at which point all traffic flows through the VPN which isn't what we're trying to accomplish. 

[mimugmail]

Screenshots?

[sleepnow75]

Got it all working with NordPVN,  I still need to work though my DNS issues, but once I've nailed that then I'll include some shots.   

Big thanks to mimugmail.

This did it for me:
1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

[mimugmail]

Got it all working with NordPVN,  I still need to work though my DNS issues, but once I've nailed that then I'll include some shots.   

Big thanks to mimugmail.

This did it for me:
1. Create local instance with Mullvad settings, tick "Disable Routes" and under Advanced set Gateway "1.2.3.4"
2. Create endpoint (0.0.0.0, 1.2.3.4)
3. Link endpoint in local instance
4. Assign an Interface to WG, no IP config and lock it
5. Go to System : Gateways : Single, create a gateway, Interface WG, IP address of gateway 1.2.3.4, tick "Far Gateway"
6. Go to Firewall rules and set the stuff you want with gateway of WG.

There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

[sleepnow75]

There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

Hmm, I started off with that very configuration without much luck. Rules were ignored until I added that gateway IP everywhere.

[franco]

I'm moving this thread to general discussion since we are closing this 19.7 archive.

[mannp]

There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

I've been trying to follow all of the alternate ways people are getting this to work but having no luck.

Is the option you are talking about the same as 'Dynamic gateway policy' to tick?

I initially added the gateway in this way and it would never start, it shows up as 'defunct ' with no address, even though the wg link is up, so giving it an IP of 1.2.3.4 actually seemed to be progress, the gateway went green and seemed to be okay...although I still couldn't manage to get the routing working  :-[

I have multiple vlans and am trying to get one of those vlans to access the VPN, so should I be updating the rules for that vlan to access the vpn gateway or elsewhere?

Appreciate any help from anyone  :)

[mimugmail]

Screenshots of Rules, Gateways and Local instance

[mannp]

Screenshots of Rules, Gateways and Local instance

Local instance

[mannp]

NAT Outbound

[mannp]

Gateway

[mannp]

vlan internet access rules, is currently set to all access and work, but when I disable the all access and push through the azire gw it does not work.

I am trying to only let specific vlans access this gateway :)

Thanks in advance for any pointers as to what I am missing.

[mimugmail]

Packet Capture on the Azire Interface?

[mannp]

Packet Capture on the Azire Interface?

Not something I have done or am able to do quickly.

Edit: So I found the option in Opnsense, not seen it before.... any specific options needed apart from selecting azire interface? :)

So I captured for a couple of minutes and wireshark says 'no packet' when I open the cap file...