Wireguard with Mullvad VPN

[Greelan]

OK.

As a starting point you should scrap everything you have done

Then follow this tutorial: https://forum.opnsense.org/index.php?topic=21205.0

Two additions to that:

- This guide (https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html) tells you in section 1 how to upload your locally generated public key to Mullvad and get the Mullvad endpoint info. It is the same command as in the script I linked in an earlier post

- To allow specific devices to not use the tunnel, I suggest you define another Alias for the IPs of those devices, and then in your LAN firewall rules you would include a rule for that Alias, but rather than using the WG gateway it would use the default. Then put this above the firewall rule created as per the tutorial (note that in your case, the Alias create for the relevant VPN hosts as per the tutorial would be the entire LAN net, with the new Alias and rule created as per this dot point becoming the exception to that)

For completeness, there is possibly a simpler means of implementing what you want, but I can’t guarantee that it would work. This would involve setting things up as per the OPNsense docs guide above (the one for Mullvad) so that the default is that everything uses the tunnel. Then create firewall and outbound NAT rules for the devices that you want to use the normal WAN gateway. So sort of the reverse of the first setup I describe above. I can’t guarantee that this will work, because it is not something I have tried and I am not sure that just the firewall and outbound NAT rules will override the new default routing of everything using the tunnel