Wireguard & Mullvad - I'm lost.....

[mimugmail]

Please come to IRC tomorrow and Ping me there

[mannp]

Please come to IRC tomorrow and Ping me there

Will do, thanks for your time  :)

[mannp]

There is now an easier way:

Assign Interface and tick "Dynamic Gateway", Add Gateway and in IP field type as usual "dynamic".
The Gateway field in Wireguard can be empty.

Hmm, I started off with that very configuration without much luck. Rules were ignored until I added that gateway IP everywhere.

Hi @sleepnow75 I have found the same, that just clicking this option and leaving the IP field 'dynamic' doesn't work.

I am expecting the dynamic field to be populated with an IP, like the WAN interface does, but it never happens for me, even though the VPN is up.

Setting the IP for the gateway and vpn config I found I have outbound traffic, but no inbound.

Do you have a pass rule in your firewall for this inbound traffic?

I have set an inbound rule for the vlan I want to go through the vpn, but it doesn't work.

[Scanline]

Hi, and another one who is lost. I tried so much yesterday that I dreamed about it last night  ;D

I have two VLANs (10 and 20). I want VLAN10 ("LAN") route via my DSL WAN Interface ("WAN"), and VLAN20 ("LAN_VPN") via Mullvad Interface ("WG_Mullvad").

I hope anyone could help. What I did was:

1.) Added mullvad wireguard stuff, disabled routes (seems to be working)

2.) Added interface, no IP, lock, Dynamic gateway policy

3.) Under "System: Gateways: Single" my mullvad gateway appeared ("WG_MULLVAD_GW"), but without IP in the list. Enabled "Far Gateway", IP "dynamic"

4.) "Firewall: NAT: Outbound" added NAT rules: interface "WG_MULLVAD", source "LAN_VPN net", NAT Address "WG_MULLVAD address"

5.) Added under "Firewall: Rules: LAN_VPN": any IPv4 Gateway WG_MULLVAD_GW

6.) This is what it looks like when I connect my windows 10 pc with untagged VLAN20. I can ping my router (192.168.20.1) and DNS works as well

restarted wg service, rebooted router multiple times, no luck. Any help is much appreciated!
Mullvad account is active and paid

Thank you so much for everyone who is helping out here.

Update 1:

For testing, I unticked "Disable Routes" in the Wireguard Local settings and disabled "Dynamic gateway policy" in the interface settings which resulted into LAN being router through mullvad. I did not change the ""Firewall: Rules: LAN", it should still go through WAN.

What this test showed me is that the wireguard connection is working, and the error must be in the gateway, nat or firewall settings.


Update 2:

When I try to go the "1.2.3.4" route described here: https://forum.opnsense.org/index.php?topic=15105.msg86559#msg86559, I am getting "Cannot add IPv4 Gateway Address because no IPv4 address could be found on the interface." when I  try to add the Gateway under "System: Gateways: Single".

[mimugmail]

Tick Disable routes and in Gateway tick "Far Gateway", this should work.
If yes we can go on :)

[Scanline]

Tick Disable routes and in Gateway tick "Far Gateway", this should work.
If yes we can go on :)

Thank you!

Far Gateway and Disabled routes was set  up like this and it didn't work

[FingerlessGloves]

I made a guide for this for someone on IRC while back.

May not be the best way but it does work. Just do your rules to match your required configuration.

https://imgur.com/gallery/JBf2RF6

[Scanline]

I made a guide for this for someone on IRC while back.

May not be the best way but it does work. Just do your rules to match your require configuration.

https://imgur.com/gallery/JBf2RF6

Thank you, I will try this and report back!

Edit: Success! Thank you so much for this.

[mimugmail]

Great! Thx for sharing!

[mimugmail]

I put it on my link collection:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

[firewall]

For those of you on Mullvad I encourage you to test speeds with Wireguard vs. OpenVPN. Their applications--likely including those delivered via their partnership with Mozilla (assumption)--use Wireguard by default. With WG, it's virtually guaranteed that you'll be sharing connectivity with a large number of users connecting to the same endpoint.

My OpenVPN speed is roughly 3x that of WG on Mullvad, despite the overhead, when connecting to endpoints in the same city + hosting provider (e.g. M247) + CIDR.

[FingerlessGloves]

My OpenVPN speed is roughly 3x that of WG on Mullvad, despite the overhead, when connecting to endpoints in the same city + hosting provider (e.g. M247) + CIDR.

OPNsense's WireGuard is currently using the GO implementation so its not kernel level yet, so the performance isn't what it can be.

Hopefully the FreeBSD kernel module will get finished and hit stable some day soon which then can be incorporated in to OPNsense, and we'll get much better WireGuard bandwidth and latency.

Kernel Module Source
https://git.zx2c4.com/wireguard-freebsd/

[Scanline]

FWIW, I changed to openvpn for other reasons.¹ I hope wireguard gets proper support one day.

¹ https://github.com/opnsense/core/issues/4389

[DerTom]

Hi!

I used the details of this thread to get my wireguard-connection up. At least the first one...

I'm trying to get a second one up and running. What I experienced so far, is, that I had to change the 0.0.0.0/0 entry as allowed IP. Having this for both endpoints, only the first one will get an IP by the vpn-provider.

With changing this to something like
wg0: 10.10.0.0/24
wg1: 10.10.1.0/24
I do have wg-connections up, I do get my two IPs for every wg-connection but the defined gateways are marked as being 'offline'.

Why is it, that changing the allowed IPs per endpoint:
wg0: 0.0.0.0/0, 1.2.3.4 -> 10.10.0.0/24, 1.2.3.4
wg1: 0.0.0.0/0, 1.2.4.5 -> 10.10.1.0/24, 1.2.4.5
do result in offline gateways?

The wg0-gateway is still 1.2.3.4!?
The wg1-gateway is still 1.2.4.5!?

Every hint is deeply appreciated.

Kind regards,

Thomas

[Greelan]

Try CIDR notation, eg 1.2.3.4/32?