[SOLVED] WireGuard ProtonVPN connection active, but unable to receive responses

[ctrom]

Try to go here and check if returns the proton public ip or the ip of your ISP: dnsleaktest.com.

I cannot navigate to that website or any other through the VPN. The data I've collected suggests packets are going out and responses are not coming back.

You monitor the wan interface, younshall consider that it is a phisical interface and the wireguard works "inside that"...you should see the same message going outside on both gateways and Not only on the wan.

Yes, if I monitor both the WAN interface and the wg0 interface while performing a "ping 8.8.8.8", I can see the traffic on both:

wg0:

Code Select Expand

# tcpdump -ni wg0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
17:08:50.953725 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 0, length 64
17:08:51.953836 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 1, length 64
17:08:52.954017 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 2, length 64
17:08:53.954193 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 3, length 64
17:08:54.954359 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 4, length 64
17:08:55.954612 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 6820, seq 5, length 64

WAN:

Code Select Expand

# tcpdump -ni igc0 host 79.127.136.222
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on igc0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:08:50.953776 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128
17:08:51.953890 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128
17:08:52.954072 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128
17:08:53.954242 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128
17:08:54.954401 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128
17:08:55.954697 IP {WAN IP redacted}.51820 > 79.127.136.222.51820: UDP, length 128

[FredFresh]

I was trying to comment each points of your configurations but it seems you deviated A LOT from the Road warrior guide:
first this https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
later this https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-3-turn-on-wireguard

pay attention that the second page has the first part that overlap the specific Proton guide, avoid that first part

The best way is to start with the simplest configuration, once it works you can start making changes otherwise you do not know what went wrong.

Please, backup you config, clean the additional settings of the VPN (nat, firewall rules, normalization, devices...just keep peer and instance).

The guide works, what is not there shall not be changed or implemented....and do not ask to IA but here.

Once you implemented the standard configuration, if you have doubts, just write here.


I have also Proton and I can guarantee that the guide works.

[ctrom]

I was trying to comment each points of your configurations but it seems you deviated A LOT from the Road warrior guide:
first this https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
later this https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-3-turn-on-wireguard

pay attention that the second page has the first part that overlap the specific Proton guide, avoid that first part

The best way is to start with the simplest configuration, once it works you can start making changes otherwise you do not know what went wrong.

Please, backup you config, clean the additional settings of the VPN (nat, firewall rules, normalization, devices...just keep peer and instance).

The guide works, what is not there shall not be changed or implemented....and do not ask to IA but here.

Once you implemented the standard configuration, if you have doubts, just write here.


I have also Proton and I can guarantee that the guide works.

I took your recommendation and purged everything and started again:

WireGuard settings:
Instance:
Public key: {derived from private key}
Private key: {copied from Proton supplied config}
Listen port: 51820
MTU: 1420
DNS Servers: 10.2.0.1
Tunnel address: 10.2.0.2/32
Disable routes: yes
Gateway: 10.2.0.1 - as specified by the OPNsense docs

Peer:
Public key: {copied from Proton supplied config}
Allowed IPs: 0.0.0.0/0
Endpoint address: 79.127.136.222
Endpoint port: 51820
Instances: Selected the instance from the previous step.
Keepalive interval: 25

At this point, I enabled WireGuard and moved to the "Selective Routing" docs. I skipped steps 1, 2, and 3 and began with step 4.

Interfaces:
WAN_ProtonVPN:
Device: wg0
IPv4: None

Restarted the WireGuard service.

Gateway:
Name: WAN_ProtonVPN
Interface: WAN_ProtonVPN
IP Address: 10.2.0.1
Far Gateway: Yes
Disable Gateway Monitoring: No
Monitor IP: 79.127.136.222

At this point I deviated from the documentation to create a VLAN for the hosts that should use the VPN.

Interfaces (continued):
VPNOnly:
Device: vlan0.50
IPv4: Static
Address: 10.12.50.1/24

Firewall:
Aliases:
Name: WG_VPN_Hosts
Type: Network(s)
Content: 10.12.50.1/24

Name: RFC1918_Networks
Type: Network(s)
Content: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

Rules (step 8):

ID	Interface	Quick	Action	Direction	Source	Destination	Gateway	Advanced
2	VPNOnly	Yes	Pass	In	WG_VPN_Hosts	(invert) RFC1918_Networks	WAN_ProtonVPN

I stopped at this point and tried to ping 8.8.8.8 and the live view logged a "pass" message.

Rules (step 9):

ID	Interface	Quick	Action	Direction	Source	Destination	Gateway	Advanced
1	Any	No	Pass	Out	WAN_ProtonVPN address	(invert) WAN_ProtonVPN net	WAN_ProtonVPN	Allow options:1
2	VPNOnly	Yes	Pass	In	WG_VPN_Hosts	(invert) RFC1918_Networks	WAN_ProtonVPN

NAT Outbound:
Mode: Hybrid
Custom Rule:
Interface: WAN_ProtonVPN
Source address: WG_VPN_Hosts
Translation / target: Interface address

I stopped again and attempted to ping 8.8.8.8 from my VPNOnly host and I got a response.

Rules (step 11):

ID	Interface	Quick	Action	Direction	Source	Destination	Gateway	Advanced
1	Any	No	Pass	Out	WAN_ProtonVPN address	(invert) WAN_ProtonVPN net	WAN_ProtonVPN	Allow options:1
2	VPNOnly	Yes	Pass	In	WG_VPN_Hosts	(invert) RFC1918_Networks	WAN_ProtonVPN	Set local tag: NO_WAN_EGRESS
3	WAN	Yes	Block	Out	any	any	None	Match local tag: NO_WAN_EGRESS

And after applying the changes to rule 2 and creating rule 3, I am still able to ping 8.8.8.8. After adding another rule to allow the VLAN access to port 53, I am also able to curl http endpoints and am getting back expected responses. I can't be sure now, but I think I may have messed up creating the outbound NAT rule in Step 10 the first time I tried. Although I later double checked and corrected the NAT rule, I think I had mangled my firewall rules by that point and ended up in a state where I couldn't tell where I'd gone wrong. Thank you to the three of you that replied to this thread and offered suggestions.