[WireGuard] Mullvad Selective Routing guide for dummies

[colourcode]

Additional information and inspiration:
schnerring.net
OPNsense Docs


0. About

Tested with 24.1.1

Consolidated the available information for us who get cross eyed by walls of text. Don't expect to learn why it's working here.

The bare minimum needed to get it up and running on a "clean" OPNsense.

Hopefully, it can be of help to someone and lets hope I never have to do BBcode formatting ever again 🤦


1. Install WireGuard

Code Select Expand

Navigate to: System > Firmware > Plugin- Install WireGuard

NOTE: Not required on newer versions


2. Download Mullvad config - I'll call it .conf

1. Login mullvad.net & go to wireguard-config
2. Generate Key
3. Scroll down and select server
4. Select IPv4
5. Select Only IPv4
6. Configure Content Blocking
  - Irrelevant here, changes the DNS server provided in .conf
7. Download .conf

Additional Mullvad info

These can be used as monitoring IP for gateway(s):
- Mullvad - How to set up ad-blocking in our app
  - 100.64.0.1 for Ad-blocking
  - 100.64.0.2 for Tracker-blocking
  - 100.64.0.3 for Ad- + Tracker-blocking.

- Mullvad - Adding another layer: malware DNS blocking
  - 100.64.0.4 Malware blocking only
  - 100.64.0.5 Ad and malware blocking, no tracker blocking
  - 100.64.0.6 Tracker and malware blocking, no ad blocking
  - 100.64.0.7 Ad, tracker and malware blocking ("everything")


3. WireGuard Configuration

3.1 WireGuard INSTANCE - [interface] in .conf

Code Select Expand

Navigate to: VPN > WireGuard > Settings > Instances
Fields not mentioned = BLANK / Default

- ADD

Code Select Expand

| Field           | Value                         |
| --------------- | ----------------------------- |
| Name            | Instance Name                 |
| Pub Key         | From Mullvad .conf creation*  |
| Priv Key        | Value of "PrivateKey" in .conf|
| Port            | 51820                         |
| Tunnel Address  | Value of "Address" in .conf   |
| Disable Routes  | CHECKED                       |
| Gateway         | Tunnel_Address (-1)**         |


* You cannot view this attachment.

** See note: OPnsense Docs - wireguard-selective-routing

- SAVE but don't apply

3.2 WireGuard PEER - [peer] in .conf

Code Select Expand

Navigate to: VPN > WireGuard > Settings > Peers
- ADD

Code Select Expand

| Field               | Value                        |
| ------------------- | ---------------------------- |
| Name                | Peer Name                    |
| Pub Key             | Value of "PublicKey" in .conf|
| Allowed IPs         | 0.0.0.0/0                    |
| Endpoint Address    | Value of "Endpoint" in .conf |
| Endpoint Port       | 51820                        |
| Instance            | The one you set up earlier   |
| Keepalive internal  | 25                           |

- SAVE
- APPLY

Code Select Expand

Navigate to: VPN > WireGuard > Settings > General- Enable WireGuard
- Verify tunnel is UP in VPN > WireGuard > Diagnostics


4.  Add an interface

Code Select Expand

Navigate to: Interfaces > Assignments > Assign
 a new interface
- Expand list and select the WireGuard interface
- Device wg1
  - ADD
  - SAVE (above)

- Click on the new interface (above)
  - Enable Interface: CHECKED
  - SAVE


5. Add a gateway

Code Select Expand

Navigate to: System > Gateways > Configuration
- ADD

Code Select Expand

| Field                           | Value                                            |
| ------------------------------- | -------------------------------------------------|
| Name                            | GW name                                          |
| Interface                       | wg1                                              |
| Address Family                  | IPv4                                             |
| IP Address                      | Value of "Address"(-1) in .conf*            |
| Far Gateway                     | CHECKED                                          |
| Disable Gateway Monitoring      | UNCHECKED                                        |
| Monitor IP                      | 10.64.0.1 (An internal Mullvad DNS)              |

* If .conf address is xx.xx.xx.10/32 you can use xx.xx.xx.9 - i.e. remove the subnet mask and subtract one from the last segment.

-  SAVE
-  APPLY


6. Firewall configuration
This configuration is as barebones as they come, modify it to your liking

Code Select Expand

Navigate to: Firewall > Aliases
- ADD

Code Select Expand

| Field             | Value                                          |
| ----------------- | ---------------------------------------------- |
| Name              | [selected hosts] - any name you want           |
| Type              | Host(s)                                        |
| Content           | Add the IP of each device to Selectively Route |

- SAVE
- APPLY

6.1 FIRST rule: Route [selected hosts] traffic through the tunnel

Code Select Expand

Navigate to: Firewall > Rules > Floating
- ADD

Code Select Expand

| Field                | Value                         |
| -------------------- | ------------------------------|
| Action               | Pass                          |
| Quick                | CHECKED                       |
| Interface            | Interface(s) where your [selected hosts] live
| Direction            | In                            |
| TCP/IP Version       | IPv4                          |
| Protocol             | Any                           |
| Source               | [selected hosts]              |
| Destination          | Any                           |
| Gateway              | WG Gateway                    |
|              Show Advanced Features                  |
| SET local tag        | NO_WAN_EGRESS                 |

- SAVE

6.2 SECOND rule: Kill switch
May not be needed depending on your configuration, better safe than sorry?

- OPNsense Docs: Kill Switch

6.3 THIRD rule: Route DNS traffic for [selected hosts]
This rule is optional,use for troubleshooting or with port forwards.

- ADD

Code Select Expand

| Field               | Value                         |
| --------------------| ------------------------------|
| Action              | Pass                          |
| Quick               | CHECKED                       |
| Interface           | Interface(s) where your [selected hosts] live
| Direction           | In                            |
| TCP/IP Version      | IPv4                          |
| Protocol            | TCP/UDP                       |
| Source              | [selected hosts]              |
| Destination         | Mullvad DNS server, 100.64.0.7| (Listed at the beginning)
| Dst Port Range      | DNS                           |
| Gateway             | WG Gateway                   |

- SAVE

6.4 NAT Rule: NAT WireGuard for [selected hosts]

Code Select Expand

Navigate to: Firewall > NAT > Outbound
- Change mode to Hybrid outbound NAT rule generation

- ADD

Code Select Expand

| Field                   | Value                                          |
| ------------------------| ---------------------------------------------- |
| Interface               | WG interface                                  |
| TCP/IP Version          | IPv4                                          |
| Protocol                | Any                                            |
| Source                  | [selected hosts]                              |
| Src Port                | Any                                            |
| Destination             | Any                                            |
| Dst Port                | Any                                            |
| Translation / Target    | Interface Address                              |

- SAVE
- APPLY to save all the firewall rules


7. Verify it's working as intended

- Add a device IP to the [selected hosts] Alias
- Use Mullvad Check
  - All three should be green

- API, Powershell

Code Select Expand

(curl https://am.i.mullvad.net/json).Content | ConvertFrom-Json

[glow=cyan,2,300]Thanks for reading![/glow]
Please educate me where there are misstakes!

[pete.magnusson]

Just a awesome amazing guide!
Works like a charm!
I just got one question if you dont mind.
Following these steps i get it working so i get my traffic over Mullvad and can access my "LAN" devices ( as per my Interface i selected in 6.1 ) but i am not able to connect to any of my "IOT" devices in a different vlan.
Do you have any recommendation for this?
Cheers

[maldito]

Awesome guide. I was 0-3 with the OPNSENSE docs guide. Finally got my selective routing going with your guide thought, thank you very much.

[Magician1981]

Greetings,

Any additional steps I need to take when using a vlan tag (interface) as the gateway since my ISP uses that for internet traffic over the fiber connection. When I add the mullvad gateway it stays red with 100% loss even after selecting it as the upstream gateway.

Thank you

Update:

When I use the same ip in the monitor ip section as the ip adress things light up green but the mullvad check does not pass. Tried different dns ip's to no avail.

[hushcoden]

If I understood properly, there is no need of rules within the actual Wireguard/VPN interface, but only in the interface where the hosts live, is that correct?

Tia.

[OCT0PUSCRIME]

Can I ask why your routing rule is different than the one in the OPNsense docs? They have a floating rule, direction out.

[colourcode]

Can I ask why your routing rule is different than the one in the OPNsense docs? They have a floating rule, direction out.

This guide is using the "Step 8 - Create a Firewall rule" rule: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-8-create-a-firewall-rule

I don't have my opnsense active at the moment. You'll be able to confirm whether it's working or not with the last step. You can easily add the rules from the wiki and see if it behaves differently after you've confirmed that selected routing is working.

Didn't manage to find any problems with this despite not using all the rules. All traffic I tested hopped the correct routes and was blocked where I wanted. Possibly something I missed that the other rules fixed. Going to need someone smarter than me to confirm.

If I understood properly, there is no need of rules within the actual Wireguard/VPN interface, but only in the interface where the hosts live, is that correct?

Tia.

The NAT and Floating rule should cover that.

[ed]

Just a awesome amazing guide!
Works like a charm!
I just got one question if you dont mind.
Following these steps i get it working so i get my traffic over Mullvad and can access my "LAN" devices ( as per my Interface i selected in 6.1 ) but i am not able to connect to any of my "IOT" devices in a different vlan.
Do you have any recommendation for this?
Cheers

Hi Pete,

I had the exact same challenge as you. Here's how I solved it:

• Create an alias for your VLANs under Firewall --> Aliases. In my case I named it "PrivateNetworks" and assigned the content of "192.168.0.0/16" because my different VLANs resolve into subnets within 192.168.10.0/24, 192.168.20.0/24, etc. (this is just my case, yours might be different)
• Adjust the "Destination" in step 6.1: Select the checkbox "Destination / Invert" and select your previously created alias "PrivateNetworks" as "Destination". --> Save & Apply

This will result in only allowing traffic to the new (mullvad/wireguard) gateway if the destination address is not within a private range, in my case within 192.168.0.0/16
In other words internet traffic will use the new mullvad/wireguard gateway, whereas internal networks will continue to be routed internally.

Hope this helps. If it doesn't feel free to ask again.

Cheers,
Ed

[cami09]

Big thank you first!

Now a question: what is the best practice in case of multiple (Mullvad) WiregGuard instances?

When doing step 5 with a second instance:
| IP Address                      | .conf > [interface] > address (-1)*               |
| Monitor IP                       | 10.64.0.1 or one of the DNS servers              |

I get errors
> This Gateway IP address already exists.
> This Monitor IP address already exists.

For GW IP, we probably can just decrement one more: address (-2), ... , address (-n).
But what should I configure for "Monitor IP", given DNS IP is always the same?

[colourcode]

Big thank you first!

Now a question: what is the best practice in case of multiple (Mullvad) WiregGuard instances?

There are more than one DNS server you can use. Check out the first link in the original post, I believe he went thru the steps to make more than one tunnel 🤞😎

[killer2239]

So I'm not using Mullvad but I followed these instructions changing the main vpn connection to use wireguard settings of my provider and the tunnel seems fine. However, I'm receiving an error on any website I try to visit telling me its not secure, click advance continue and it gives an opnsense rebind dns attack error page. Any suggestions on what it is causing this?

I should add, when I do a ping test to like 8.8.8.8 it says I'm getting a reply from my opnsense IP address of 192.168.1.1  , so clearly something isn't right there but I don't know what.

[cloudz]

This tutorial is 100% spot on and works as advertised, love it!

Did you ever try this with IPv6? I would like to use Destination routing instead of based on source.
It works well for IPv4 but nowadays a ton of sites do have AAAA records too.

I've tried adding the IP address that you get in the .conf to the Interface/Peer but I run into the unknown with the gateways.
You can only add one gateway to an instance .. which makes this hard. Should I make an IPv6 only instance?