WireGuard ProtonVPN connection active, but unable to receive responses

Started by ctrom, March 16, 2026, 06:49:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 16, 2026, 06:49:11 PM
I have followed the documentation for setting up WireGuard with ProtonVPN. The VPN status indicates that the connection is online, the handshake age is being refreshed regularly, and there is data being sent and received, although the received traffic is about 1/4 of the sent traffic. I am able to ping the address Proton specified (10.2.0.2) but pings to 8.8.8.8 are lost and attempts to curl -v http://neverssl.com result in Recv failure: Connection reset by peer

I have tweaked many settings and spent a few hours going back and forth with Gemini trying to identify what's wrong, but have had no success. I'm hoping for suggestions on what I should try or how I can diagnose where the failure is occurring.
March 16, 2026, 08:29:37 PM #1
Not sure if this applies, as I do not use ProtonVPN, but have you tried looking at Firewall: Log Files: Live View? It helped when I was setting up WireGuard. Turn on logging here: System: Settings: Logging and Firewall: Settings: Advanced.
March 16, 2026, 09:18:37 PM #2
Quote from: vimage22 on March 16, 2026, 08:29:37 PMNot sure if this applies, as I do not use ProtonVPN, but have you tried looking at Firewall: Log Files: Live View? It helped when I was setting up WireGuard. Turn on logging here: System: Settings: Logging and Firewall: Settings: Advanced.
Yes, I have enabled logging on all of the firewall rules related to the VPN. When I look at Live View, I see many requests that are passing from local IPs out of the network, but nothing from outside coming in. I've also looked at the VPN logs and the system logs and I haven't seen anything that indicates to me a failure condition.
March 16, 2026, 10:36:41 PM #3
After too many hours of pulling my hair out, I finally realized I had mistyped the IP address for the gateway I had set up for the VPN. I had typed 10.2.0.1 when it should have been 10.2.0.2. The health check is passing now for the VPN gateway and I see return traffic on the firewall logs. I am facing a new issue now with my attempts to ping 8.8.8.8 which is that the ping response from my router's IP address:
Code Select
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=1.42 ms (DIFFERENT ADDRESS!)
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=1.49 ms (DIFFERENT ADDRESS!)

If anyone knows offhand what I might have done wrong to cause this please let me know. In the meantime, I am happy to finally have a different problem to work on.
Today at 02:46:33 PM #4
One little typo, happens to me as well. Maybe my post here might give you ideas? (#8) https://forum.opnsense.org/index.php?msg=262436
But without a lot more info on your config, not sure I can figure this out. Might be a Rule issue?
Today at 07:25:56 PM #5
Quote from: vimage22 on Today at 02:46:33 PMOne little typo, happens to me as well. Maybe my post here might give you ideas? (#8) https://forum.opnsense.org/index.php?msg=262436
But without a lot more info on your config, not sure I can figure this out. Might be a Rule issue?

I've attempted to capture all of the relevant settings here. If I've overlooked something please let me know.

WireGuard settings:
Instance:
Listen port: 51820
MTU: 1420
DNS Servers: 10.2.0.1
Tunnel address: 10.2.0.2/32
Disable routes: yes
Gateway: 10.2.0.1 - this is not specified in the ProtonVPN connection details, but the OPNsense setup documentation indicates this should be set.

Peer:
Allowed IPs: 0.0.0.0/0
Endpoint address: 79.127.136.222
Endpoint port: 51820

Interfaces:
WAN_ProtonVPN:
Device: wg0
IPv4: None

VPNOnly:
Device: vlan0.50
IPv4: Static
Address: 10.12.50.1/24

Gateway:
Name: ProtonVPN
Interface: WAN_ProtonVPN
IP Address: 10.2.0.2 - I'm unsure about this setting. I had it set to 10.2.0.1 and the gateway was reporting offline. After changing it to 10.2.0.2 the gateway reported online, but Gemini is insisting that this is inaccurate because it is creating a loop within the router.

Firewall:
NAT Outbound:
Mode: Hybrid
Custom Rule:
Interface: WAN_ProtonVPN
Source address: 10.12.50.0/24
Translation / target: Interface address
Static-port: yes

Aliases:
WG_VPN_Hosts: 10.12.50.1/24

Rules:
I have tried many different rules at this point including:
IDInterfaceQuickActionDirectionSourceDestinationGatewayAdvanced
1AnyNoPassOutWAN_ProtonVPN address(invert) WAN_ProtonVPN netProtonVPNAllow options:1 Disable reply-to:1
2VPNOnlyYesPassInVPNOnly netRFC1918_NetworksNone
3VPNOnlyYesPassInWG_VPN_Hosts10.2.0.1ProtonVPNSet local tag: NO_WAN_EGRESS
4VPNOnlyYesPassInWG_VPN_Hosts(invert) RFC1918_NetworksProtonVPNSet local tag: NO_WAN_EGRESS
5WANYesBlockOutanyanyNoneMatch local tag: NO_WAN_EGRESS
6VPNOnlyYesPassInanyanyProtonVPNDisable reply-to:1
7WAN_ProtonVPNNoPassInanyanyNone

These rules haven't been active all at once and there are many variations on these that I have tried in my experimentation.
Print
Go Up Pages1
User actions