Unable to get Mullvad Wireguard to work

[mattlach]

Hey everyone,

I an transitioning over from a previous router where I was using OpenVPN to route all network traffic through Mullvad.

I am now transitioning to OPNSense and decided I'd give WireGuard a try.

I have tried two different guides, first the WireGuard MullvadVPN Road Warrior Setup from docs.opnsense.org

This one I followed step by step from the instructions.  Everything seems to work like it should until I enable the wireguard connection, at which all contact with the outside world across the cgateway disappears.   Adding the routing step 2 does nothing.   Internet connectivity never returns.

I have tried repeating this guide just in case I got something wrong, with the same effect.

Next I tried the guide in the this youtube video.

This one has configuration menus that look a little different, possibly due to a different version of the software, but following this guide still results in no connectivity after starting wireguard.

I can't for the life of me figure out what I am doing wrong.

I'd appreciate any suggestions that might help me fix this.

Ideally, I'd have functionality much like the video explains towards the end, with Wireguard traffic going through a separate gateway, such that I can filter which hosts go out over wireguard, and which go straight out to the wan.

Any help and/or suggestions greatly appreciated!

Thank you,
Matt

[mattlach]

Alright, I was able to resolve this through some research and time spent reading.  If anyone else needs it, here is what I found.

1.) Something changed when Wireguard moved into the kernel in v23.  This something broke many previously implemented Wireguard to private VPN service tunnels.

2.) The initial part of the WireGuard MullvadVPN Road Warrior Setup guide can still be followed, with one small change.

Follow "Step 1" of the above, except when configuring your "instance" be sure to check the box "disable routes".  If you don't it will create an automatic route that breaks external traffic over the wan.

Also, the guide above tells you to add a DNS server in the Peers section.  This no longer appears to be possible.  It is also not needed, as long as you used the version of the Mullvad Curl script that hijacks your DNS, as you will use Mullvads DNS either way, at least when connected to Mullvad.

Once step 1 is complete, shift to this video at timestamp ~8:39

Note that the youtuber is using the older WireGuard-go plugin which is now deprecated.  You can still follow his instructions, but whenever he uses the WireGuard config tab labeled "Endpoints" use the tab labeled "Peers" instead.   And whenever he uses the tab labeled "Local" use the tab labeled "Instances" instead.

Follow the youtubers guide to setting up firewall rules NAT rules.    He splits his video into two parts.  The first for forwarding ALL traffic through the VPN, and a second for setting up a gateway to later use firewall rules to decide which traffic goes through the VPN.

The first "everything through VPN" setup he configures will not work, but set up the rules as he does anyway, as they are needed in the second part.   If you complete the second part you should wind up with a second gateway just for Mullvad.   You can then use firewall rules to pass traffic through to whichever gateway is appropriate, Mullvad or wan to bypass Mullvad.

I usually set up a rule at the end of each networks firewall ruleset that passes all traffic through to the Mullvad gateway.  Then if I want specific exclusions, I add pass rules above that, to pass specific traffic types or traffic from specific hosts to the wan interface bypassing Mullvad.

I hope this saves someone else some time as I was about to tear my hair out.

I suspect (but I am not sure) that there is a bug in the current kernel implementation of WireGuard that creates a faulty, non-functional default route, unless you check the box to disable it during the creation of the instance, and that is what is causing all of this trouble.

[DEC670airp414user]

I do not subscribe to Mullvad.  but I have tinkered with wireguard multiple times with other "providers" and I have gotten it to work.   with using alias's.   and policy routing.   then all other devices go over the wan.

in my experience with the latest version of Opnsense.   yes something is different and when creating an interface, a gateway is not created.     when you go to firewall > nat > outbound there is nothing to choose...

I got around this on the interface page >  create and choose interface > enable it. > ipv4 and ipv6 left to none.
manually add your lowered MTU and MSS settings.  1500 is too high .    then check this :   Dynamic gateway policy    This interface does not require an intermediate system to act as a gateway

then under system > gateways > config it will be listed.  open the connection.  click save.   and it will work as it should. 

policy routing by Alias then works for me.   with multiple providers

[Magician1981]

Alright, I was able to resolve this through some research and time spent reading.  If anyone else needs it, here is what I found.

1.) Something changed when Wireguard moved into the kernel in v23.  This something broke many previously implemented Wireguard to private VPN service tunnels.

2.) The initial part of the WireGuard MullvadVPN Road Warrior Setup guide can still be followed, with one small change.

Follow "Step 1" of the above, except when configuring your "instance" be sure to check the box "disable routes".  If you don't it will create an automatic route that breaks external traffic over the wan.

Also, the guide above tells you to add a DNS server in the Peers section.  This no longer appears to be possible.  It is also not needed, as long as you used the version of the Mullvad Curl script that hijacks your DNS, as you will use Mullvads DNS either way, at least when connected to Mullvad.

Once step 1 is complete, shift to this video at timestamp ~8:39

Note that the youtuber is using the older WireGuard-go plugin which is now deprecated.  You can still follow his instructions, but whenever he uses the WireGuard config tab labeled "Endpoints" use the tab labeled "Peers" instead.   And whenever he uses the tab labeled "Local" use the tab labeled "Instances" instead.

Follow the youtubers guide to setting up firewall rules NAT rules.    He splits his video into two parts.  The first for forwarding ALL traffic through the VPN, and a second for setting up a gateway to later use firewall rules to decide which traffic goes through the VPN.

The first "everything through VPN" setup he configures will not work, but set up the rules as he does anyway, as they are needed in the second part.   If you complete the second part you should wind up with a second gateway just for Mullvad.   You can then use firewall rules to pass traffic through to whichever gateway is appropriate, Mullvad or wan to bypass Mullvad.

I usually set up a rule at the end of each networks firewall ruleset that passes all traffic through to the Mullvad gateway.  Then if I want specific exclusions, I add pass rules above that, to pass specific traffic types or traffic from specific hosts to the wan interface bypassing Mullvad.

I hope this saves someone else some time as I was about to tear my hair out.

I suspect (but I am not sure) that there is a bug in the current kernel implementation of WireGuard that creates a faulty, non-functional default route, unless you check the box to disable it during the creation of the instance, and that is what is causing all of this trouble.

Hi,

Can't get it to work. I'm using a vlan tag (added interface) to pluck the internet traffic out of my fiber connection. Are there additional steps I must take? Would you consider a complete step by step write-up (verbose) please?

Kind regard.

[mattlach]

Hi,

Can't get it to work. I'm using a vlan tag (added interface) to pluck the internet traffic out of my fiber connection. Are there additional steps I must take? Would you consider a complete step by step write-up (verbose) please?

Kind regard.

Hi,

Just logged in for the first time in a while and saw your message.

Honestly, It has been about 7 months since I did this now, and my memory is a little hazy.

I'll see if I can re-assemble what I did from my post, and put something together, but not tonight.