How to get a second wireguard tunnel working?

[hushcoden]

I see... it's a shame I can't make two tunnels working: with one, it's all good, with two, I see packet loss often and devices disconnect every now and then...

[hushcoden]

The monitor IP must be routed through the tunnel, the endpoint IP mustn't. The tunnel can't be routed through itself.

According to the OPNsense guide, as for the IP monitor -> "Insert the endpoint VPN tunnel IP (NOT the public IP) of your VPN provider - see note below" BUT for me it doesn't work, the tunnel shows offline, even if leave it blank, why ??

And if I use 10.2.01 (DNS address) immediately gateway shows online !

And, do I have to set the DNS for each gateway as per this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html

[Bob.Dig]

Who is your VPN Provider? If both tunnels use the same ip config, which I see often with WG, you can not have more than one tunnel to that provider.

[hushcoden]

Who is your VPN Provider? If both tunnels use the same ip config, which I see often with WG, you can not have more than one tunnel to that provider.

ProtonVPN

[Bob.Dig]

As far as I know, they do it like that, all tunnels use the same IP and gateway.

[Maurice]

The gateway IP address is meaningless. WireGuard creates a point-to-point link. You throw packets in the tunnel and they show up at the other end. There's no ARP or NDP involved. The only reason you need to specify a gateway IP is that OPNsense requires one for some features. (You can create "gateways" without an IP address by enabling "Dynamic gateway policy" in the interface settings, but this has its limitations when it comes to monitoring, default route creation, failover groups etc.)

Make sure not to use the same monitor IP for both. Ping distinct public addresses instead, like 1.1.1.1 and 1.0.0.1. Using unique gateway IP addresses might be required, too (they're arbitrary anyway). Last, you can remove the /28 from the tunnel addresses to avoid having two interfaces with the same subnet (might not be strictly required though).

Have you tried all of this?

[hushcoden]

Have you tried all of this?

Yep, and with 1 tunnel it works flawlessly, most likely ProtonVPN 'mess up' things with more than 1 connection.

I will try Mullvad with two tunnels and see how it goes.

[Bob.Dig]

Have you tried all of this?

You are not free to chose the config you like, you have to use the ip and subnet the Privacy-VPN-Provider gives you. And if they are the same for every tunnel then you can only have one. If you try to trick it, the tunnel will show problems like described here.

You need Virtual routing and forwarding (VRF) to get around this.

[Maurice]

You have to use the tunnel address provided by the VPN provider, correct. But the prefix length and gateway address don't matter. These are only used locally by OPNsense.

[Bob.Dig]

You have to use the tunnel address provided by the VPN provider, correct. But the prefix length and gateway address don't matter. These are only used locally by OPNsense.

Even if, the tunnel address you can not have twice, it will not work. Also the ip-address is the gateway address if I remember correct, there is no way around this on *Sense at one point or another.

[Maurice]

Okay, I've tried this real quick (using one of those dubious "free VPN" providers).

It works just fine. No packet loss. Gateway monitoring works. Failover works. I just don't see the issue.

config.xml is attached. Feel free to throw it on a VM and have a look. Easier than lengthy explanations.

Cheers
Maurice

[Bob.Dig]

For me, this provider already generates different addresses per tunnel by itself, so it is not comparable. Fact is, twice the same address does not work with *Sense and there are unfortunately enough providers who do it just so.

[Maurice]

The screenshots clearly show two different tunnel addresses (10.2.0.5 and 10.2.0.7). Yes, we've established by now that identical tunnel addresses might make this more complicated (not impossible). But there is nothing in this entire thread indicating identical tunnel addresses.

[hushcoden]

Yes, I did try with those two different IP addresses for the tunnels, but then I reverted back to 10.2.0.2/32 for the single tunnel configuration and that's when the connection became stable and no packet loss.

Looking at the Proton portal, all the config files for different servers I've inspected had one thing in common, i.e. the address 10.2.0.2/32 and DNS

Code Select Expand

[Interface]
# Bouncing = 10
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = ******
Address = 10.2.0.3/32
DNS = 10.2.0.1

[Peer]
# UK#53
PublicKey = ******
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.83.66:51820

So, indeed, I did use those two addresses arbitrarily  :P

[Maurice]

So, indeed, I did use those two addresses arbitrarily  :P

It would have saved us all a lot of time if you had said that. How are random tunnel addresses supposed to work? And how did you come up with /28? 🙄

Never mind. Trying to help is impossible this way. I'm out.