[Solved] Wireguard - Mullvad setup cannot be completed anymore

[newsense]

You're right - appears to be just fine without the VIPs. Rebooted twice to make sure it wasn't a fluke and it comes up as expected on both GWs

[franco]

Good. So instead of going through hoops for automatic NAT set WireGuard straight, assign interface for gateway, add NAT outbound and done?

It shouldn't be more work?


Cheers,
Franco

[dolivas27]

Hello everyone....

I was wondering if someone could give me a hand with this.

I have tried for days to get this to work with the latest version 23.7.9 and for the life of me I can not get it working.

Does anyone have a step by step guide?

Thanks and much appreciate any help I can get.
Dean

[oscars]

Hello everyone....

I was wondering if someone could give me a hand with this.

I have tried for days to get this to work with the latest version 23.7.9 and for the life of me I can not get it working.

Does anyone have a step by step guide?

Thanks and much appreciate any help I can get.
Dean

Did you happen to find something?

[dolivas27]

Nope and no replies so I fired up a pfSense and it work right the first time.

Maybe another time I will give OPNsense another try but right now things need to be fixed. 

[murill73]

Could someone please write a guide? I cannot get it to work either...

[DEC670airp414user]

Christian McDonald has youtube video's on this.

i can setup connection from scratch in less than 15 minutes

https://www.youtube.com/watch?v=wYe7FzZ_0X8

mullvads website even has directions

[dolivas27]

Christian McDonald has youtube video's on this.

i can setup connection from scratch in less than 15 minutes

https://www.youtube.com/watch?v=wYe7FzZ_0X8

mullvads website even has directions

Yep He sure does and it's on pfSense and yep I had it running in 5 minutes.....  SMH

[oscars]

I'm close enough with this.

I have already pfsense wireguard to pcs/android, opnsense wireguard to pcs/android and I also happen to understand a little bit more of wireguard (peers, instances, ports, nat, rules needed for this) with this test. I will try to connect to opnsense this weekend I'll let you guys know the end of this history.

[DEC670airp414user]

maybe someone having the issue can try this

when creating the interface.  leave ip4/ and ip6 as none.

at the bottom check Dynamic gateway policy.

when doing policy routing.  it will create a gateway to monitor. and choosing for outbound NAT.

this is probably why I never had the issue as I figure out a version back or so it created the gateway unexpectedly

can't test this with Mullvad as I do not have an account.  but this works with 2 other "providers"

[oscars]

I did not do it when I was able to connect from another location to my home.

However when I came back to my home I was not able to browse over internet so I deleted every rule I did (the weird thing is that I was able to connect to wireguard from another location and ping local network).

When I tried to set up again wireguard it just doesn't work so I'll be trying this days again however I was able to connect to wireguard from another location without a problem before so there is some kind of success in it

[murill73]

This might be off topic. However, I want to share my experience. After numerous attempts and endless searches for solutions, I caved in and reluctantly decided to give pfSense a try. I got everything to work using this guide: https://blog.networkprofile.org/mullvad-vpn-with-wireguard-in-pfsense-setup-guide/

[oscars]

So I have wireguard working after a few days.

Weird thing is that if you setup wrongly (because I know I did in a some tests) your wireguard probably it's stuck if you messed up with it.

Mine was stuck at "ROUTING: not a valid interface gateway address opnsense" even after uninstalling and installing the plugin.

So I reverted to default and setup up it from start now it's working fine.

EDIT: I didn't applied any of the recommended settings from youtube and posts that you need to change nat, alias, etc, I just did what was needed per se. Just start with settings from instance, then peers, and last enable wireguard.

Screenshots:
https://drive.google.com/drive/folders/1b40jr_BoD7ReOldYwtO1kWXb19YbKleP?usp=sharing

TLDR:
Tunnel Address 192.168.105.0/24 and then for this subnet I assigned each peer over here, ie personal peer1: allowed ip 192.168.105.1/32 and in their config I just use the same IP.

allow traffic port 51820 of wan and allow all traffic from wireguard to any network

Config example after the default one (interface privatekey):

Code Select Expand


.....
Address = 192.168.105.1/32
DNS = 172.16.100.1(localdnsip), 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = publickeyfrominstance
AllowedIPs = 172.16.100.0/24 (subnet from the network I want to get access /24)
Endpoint = myddns.com:51820 public domain or ddns:51820

Best Regards.

[DEC670airp414user]

well
i do not want my entire network to go over a vpn "provider"  that is why i would never use the default setup
creating alias and the gateway setup I posted a few posts above.    will allow policy based routing properly to select devices aka alias. 

[schnerring]

Good. So instead of going through hoops for automatic NAT set WireGuard straight, assign interface for gateway, add NAT outbound and done?

It shouldn't be more work?


Cheers,
Franco

I can confirm that removing the static IPv4 config from tunnel interfaces "just works". VIPs also aren't needed.

However, with tunnel interfaces not being statically configured, I cannot use them as Outgoing Network Interface for Unbound DNS anymore. Using VIPs didn't do the trick. The Web GUI docs for valid outgoing interfaces state:

Utilize different network interfaces that Unbound will use to send queries to authoritative servers and receive their replies. By default all interfaces are used. Note that setting explicit outgoing interfaces only works when they are statically configured.

Does that mean this option is incompatible with tunnel interfaces going forward? Is that an issue I should raise on GitHub?