Wireguard with Mullvad VPN

[ooompa]

For the past few days I have struggled to complete the setup and finally got to the point where I am connected to server I am supposed to, but something isn't right.

1. Per Mullvad's website I am leaking DNS. Under "Leaking DNS servers", it shows both Mullvad's DNS and 1 or 2 of my local IP's DNS addresses.
2. There is constant packet loss (3-10%) displayed in the gateway table in the dashboard menu
3. Some websites, including all of Google, don't load.

Thanks for help.

[Greelan]

Not sure how you have configured your setup, but this may help: https://forum.opnsense.org/index.php?topic=21205.msg99309#msg99309

[ooompa]

I tried to set it up using auto-populated public and private keys and it didn't work for some reason. Then I used Mullvad's public and private key pair and it worked. I mean as-is, with DNS not working right.

I will go through your guide and try to set it up like you. And report back.

Thanks!

[Greelan]

I've never used Mullvad myself but based on their Linux script ( https://mullvad.net/media/files/mullvad-wg.sh ) there is an API for uploading your public key and getting the endpoint info. Alternatively they may also have a web interface for managing keys on your account

[ooompa]

I am still failing :(

Yes, I have used their pair of keys, not the OPNsense's own generated keys (there was no connection whatsoever then).

Should I post the screenshots of my setup for discussion?

[lfirewall1243]

I tried to set it up using auto-populated public and private keys and it didn't work for some reason. Then I used Mullvad's public and private key pair and it worked. I mean as-is, with DNS not working right.

I will go through your guide and try to set it up like you. And report back.

Thanks!

I don't think your DNS leak is a Key problem.
When the keys are okay - the connection is up
If not it's down.

I think you are routing stuff wrong (not over the vpn).

Please show your fw rules, and gateway config

And a network plan please :)

[ooompa]

Yeah, I keep trying different guides to fix it and now the connection is down altogether. I bet the config is messed up somewhere. I am very new to this and it looks like about 8 screens have to be set just right to make it work.

I am getting my internet through DSL modem, which is bridged to a thin client running OPNsense and it handles the PPPOE login. Then it goes to a managed switch and to an AP.

Hopefully these are all you will need. I am not worried about my keys as I will change them once this is running.

[lfirewall1243]

Does the Wireguard key exchange work (connection up)?

[ooompa]

Not sure if that proves it, but there is a key under the handshakes tab.

wg0   01KgzQY+pT7Q+GPUa1ijj0YgdN5owMaK9ViRZO4dIWo=   1613767992

Gateway is offline and shows 100% packet loss.

[Greelan]

Those firewall/NAT rules look a bit confused to me. Explain what networks you have locally and what you are trying to achieve with them over WG

I also still think the setup is odd in terms of having the same keys locally and on the endpoint

[ooompa]

For testing purposes and when I have to use WAN connection, I have some of my devices with separate rules to bypass the VPN.

Then everything else goes to VPN.

Not sure if it's set up right. Feel free to criticize :)

[Greelan]

That still doesn't tell me what local networks you have

[ooompa]

Just 1 network, LAN. 192.168.10.x

[Greelan]

And you want to send all external traffic from that LAN network down the tunnel, or only from some hosts in that network?

[ooompa]

All traffic, except for Roku. I also want to be able to quickly disable VPN on particular device.