Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Policy based routing w/Mullvad Wireguard - Help needed
« previous
next »
Print
Pages: [
1
]
Author
Topic: Policy based routing w/Mullvad Wireguard - Help needed (Read 1884 times)
M_TheRedHead
Newbie
Posts: 4
Karma: 0
Policy based routing w/Mullvad Wireguard - Help needed
«
on:
April 04, 2023, 12:20:51 am »
Question originally posted on
https://www.reddit.com/r/opnsense/comments/128z2l5policy_based_routing_wmullvad_wireguard_help/
I received some good responses, but wasn’t able to get the issue resolved. I thought I would try here as well. I also completely deleted the configuration after my first post and started over so the images/IP addresses, etc have changed.
Hello All,
My goal is to route all traffic from a vlan to Mullvad.
I am trying to implement policy based routing for a wireguard tunnel as described in
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
I have the configuration complete and it isn't working as expected. I have been re-reading and everything looks right to me, but I am sure I am missing some simple change.
Images of all steps from the configuration guide are documented here
https://imgur.com/a/5WnZpMB
Environment:
• Opnsense 23.1.5
• Intel N5105 embedded PC from Aliexpress w/ i226 nics
• vlan4 is 192.168.105.0/24 which is the subnet I would like to route for only VPN traffic on eth1.
I followed the instructions here:
https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.htm
to get the keys, my IP (10.66.158.124, etc. On the dashboard, I see handshakes happening, monitoring across the link is working, so I am assuming the tunnel is ok.
Issue: From the VLAN, I am unable to ping or connect to anything on the internet via the VPN subnet. Access to local networks works fine if I open rules for them. This is my first attempt at policy based routing and something seems to be missing.
Any thoughts or suggestions on how to debug?
«
Last Edit: April 04, 2023, 02:22:32 am by M_TheRedHead
»
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #1 on:
April 04, 2023, 09:38:07 pm »
Some ideas....
ONE
Try using automatic routing.
Turn off disable routes and turn off the gateway in WG you have set, both in WG "Local Configuration" advanced settings - here you have disabled automatic routes and you have manually specified a gateway.
TWO
If you can't do that because it causes other issues, then turn back on disable routes but still don't put in WG "Local Configuration" advanced setting a gateway, but, as per your screenshots, make your own gateway and then routes.
THREE
I see in your screenshots lots of good configs, but, after making gateways etc with WG "Local Configuration" - "Disable Routes" selected - YOU have to make a route in
System > Routes > Configuration
Remote network y.y.y.y/y is reached via gateway x.x.x.x (that you manually made)
FOUR
Make sure you add the wireguard interface in interfaces, you don't need to set any settings at all in the interface other than it being there, but I found I needed the interface.
«
Last Edit: April 04, 2023, 09:47:28 pm by nzkiwi68
»
Logged
allebone
Sr. Member
Posts: 400
Karma: 34
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #2 on:
April 04, 2023, 10:23:59 pm »
Main thing is create a new local config for wireguard - MUST have routes disabled.
Then an endpoint must be created, and must successfully connect. 0.0.0.0/0 must be pushed across that.
Then a new WG interface must be created (virtual interface must exist) and create a single gateway with higher priority (so default traffic wont use it).
With this you now need very little to complete -
Aliases - the pc's or whatever you want to use the tunnel,
At least 1 firewall rule - that must match traffic before any other rules and have the new WG gateway set.
(eg: source could be your pc's in the alias you want to use the tunnel and destination any).
You dont need outbound nat or any floating rules or static routes if you configure it in this simple way.
Pete
Logged
M_TheRedHead
Newbie
Posts: 4
Karma: 0
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #3 on:
April 05, 2023, 03:08:29 pm »
Sorry, I didn't have time to respond to the responses yesterday - work was rather busy.
Well, the oddest thing happened and this bothers me more than the main issue. The day I posted, routing was not working and I just went to bed after being frustrated with getting this working for the weekend.
Today, I decided to capture some packets from the client as well as the router and see if I could figure out which step was failing. Oddly, it is routing perfectly today.
I ended up cloning my VPN configs with another endpoint and that one works as well. I added both to a gateway group and traffic flows out both.
I can't for the life of my figure out how things started working with no additional changes.
«
Last Edit: April 05, 2023, 03:41:56 pm by M_TheRedHead
»
Logged
M_TheRedHead
Newbie
Posts: 4
Karma: 0
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #4 on:
April 05, 2023, 05:04:38 pm »
I am also very curious how other people create their WG gateways.
I was watching a PFsense load balancer video, and they created a gateway with the same IP address as the local endpoint of the wireguard connection. If I try to set the gateway as the local IP address in the endpoint page, I get an error.
Any examples?
Logged
zan
Full Member
Posts: 175
Karma: 31
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #5 on:
April 06, 2023, 04:13:36 am »
Is your VPN end tunnel known? If not try dynamic gateway policy.
Logged
M_TheRedHead
Newbie
Posts: 4
Karma: 0
Re: Policy based routing w/Mullvad Wireguard - Help needed
«
Reply #6 on:
April 07, 2023, 07:59:37 pm »
Hello All, After much help from many in this thread and on Reddit, I was able to get this working and in a much simplified way compared to the opnsense guide. Here are the changes:
Step 2: Do not specify the gateway
Step 4: Check the 'Dynamic gateway policy' box
Step 6: Skip all together
Step 9: Skip all together
Here are the updated images:
https://imgur.com/a/gxsjjge
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Policy based routing w/Mullvad Wireguard - Help needed