Great video. After reading other complicated instruction, your video gave me the impression that the setup needs not to be that complicated. Now I have setup one of my many subnets dedicated to my VPN provider. Such subnet associated with one SSID so that any devices connected to the SSID will get VPN automatically.
24:57 I couldn't do this part. When I went to NAT, select hybrid, and then create the mapping, on the interface, I could select Mullvad(interface group), but for the Translation Address the option to select the interface address wasn't there, so I just had to create 2 maps, 1 for each of the tunnels but still using Mullvad(interface group) for the interface, and use each Mullvad interface for the translation address. It works, just annoying to have to create 2 mappings per vlan
Thank you for your video! I was following along nicely right up until @23:11 at which point, those 2 Firewall Rules you have listed under the WG tab, do not even exist for me. So once you started editing them, that was where my adventure came to an end. To be able to follow along, should I first look up how to make "a remote access tunnel"?
OK so I figured this out. He's connecting using a pre-established wireguard remote tunnel, which he's set up already, so it makes sense to go there. For me, I'm coming in from a different assignment (the ethernet port that I have my wifi box connected to), so I go there instead. If it's indeed the place that you are connecting from, you'll see those two rules there. All you have to go is go to the bottom and assign the gateway
Thanks for showing how to perform a fail over for two mullvad gateways coming from a specific IP. I have a question if you have time. I setup a Proton and a Strongvpn for internal devices associated in alias. It works for the two alias one for Proton and the other for Strongvpn. What would be the best way for me to use the fail over? I would like for Strongvpn to be the backup for Proton.
Cool video - how do you let WG ride on top of a WANGROUP ? I don't seem to find any way to tell WG which interface/group for the encrypted tunnel traffic to take. I have a WANGROUP grouping WAN and WAN2 to failover between two different providers and want my WG to send traffic to the interface that is up.
When I use a single OUTBOUND NAT rule with the INTERFACE GROUP as you showed in your video, I cannot get out to any website - although, I am able to ping websites. So instead, I had to undo the interface group and create separate NAT rules for each interface to get it to work. I'm using pfSense version 2.5.2 so perhaps this is a bug specific to this version. Anyone else having this issue?
@@nightfallen0420 I'm glad to hear this helped you. I've upgraded to 2.6.0 but did not get a chance to test with interface groups. Perhaps the bug has been fixed in that version.
@@nightfallen0420 Hmmm.. thanks for the heads up so I won't waste my time trying it on 2.6.0. Christian never replied back regarding this issue and I'm not sure why it seems to work fine for him in this video. Doing it our way is messy, but at least it works. I also found someone in the pfsense user forums that had the same issue, so it's not just us.
is there anyway to get the mullvad desktop app to work with pfsense pfblocker? pfblocker works but only when mullvad is not running. when mullvad is running, it no longer uses the pfsense pfblocker dns resolver :{ any solution?
Tutorial was very detailed and I FINALLY got Mullvad to work. Thank you so much! I followed the steps and Mullvad detects a DNS leak. Did I miss a setting somewhere?
There are indeed some extra considerations for plugging DNS leaks. I need to make another video and discuss the options here. But basically if you are using pfSense as your DNS resolver (via Unbound), you are doing your own recursive resolving against the DNS root nameservers. This is why Mullvad is detecting a "DNS Leak" but the DNS server is reported as your own public v4 address. As long as pfSense is configured to only use Unbound and Unbound is NOT in forwarding mode, you are fine.
Hi….very well explained, but how do i apply to my situation in order to have all my LAN network routed through the vpn tunnel if my isp in order to give me the public IP wants me to have a PPPoE connection + VLAN tagged? Also what if I want to use a different vpn provider?
For anyone following this guide still, make sure you use different listening ports for each tunnel. When you make the config file, after generating the private key, you should be able to enter a custom listening port by clicking "advanced settings." If you don't use different listening ports, one of the tunnel gateways will remain offline.
I'm feeling particularly stupid. I was able to configure the original pfsense Wireguard without issue, I did so with Mulvad, Nord and others and even wrote guides that helped other people. But I have been unable to get the new plugin to work. I've now followed this guide step by step up to the part where you say that handshaking should have started. Nope, I get no handshake. I've deleted everything several times and re-done it, but i can never handshake. Packet captures show nothing on UDP port 51820 on the WAN port. I'm at a loss.
This is very helpful Christian, thank you. I’m currently stuck with a configuration issue that is preventing me from accessing port 443 and 80 only through the VPN tunnel. Do you offer paid consultations? If so, what’s the best way to get in touch with you?
This might seem like a waste of time, but any chance you could show how to set up a Wireguard privacy VPN to go to one specific VLAN? My hopes are to create a VLAN where I can just throw devices on and immediately have a connection via VPN. I tried using some of this video and was able to get the Wireguard set up completed, but am getting stuck at setting it to a specific interface that I have a VLAN pointing to. I've tried 1:1 NAT and still no luck, but I am probably missing something super small.
Create an IP Alias where you can set specific devices by IP or IP range for an entire subnet if you want. Then (22:38) when you create the firewall rules for the wireguard group you swap the source IP range with the Alias you created. You have to make sure you also have rules on the relevant source interfaces redirecting internet traffic to the VPN gateway.
Create an alias with the devices that you want to bypass Mullvad and create a pass rule to allow this alias out the default gateway. Put this rule above the mullvad policy route rule
I would buy you beer if I can make this work with Mullvad auto connecting to us sever without the need of system configuration like you did on the laptop. I followed the video pretty closely and did the alias place my entire subnet range in there to not use wireguard anything outside of it like static IP address should be allowed so i thought. The remote address that Is the only part I do not have i left source empty as i was sure what to add there.
@@angelorestrepo imgur.com/a/OmZ7GSi I put together some screenshots for you. Basically you create an Alias that contains IPs of the clients on your LAN that you want to use the VPN as their gateway. You might also use DHCP static assignments here as well (make sure you disable 'Private Address' mode on iOS or Android as this causes your MAC address to change randomly). Then, create a firewall rule above your default LAN to any rule that pushes these clients out your VPN gateway. If you want a VPN kill switch, enable 'Skip rules when Gateway is down` and create a block rule to catch and block traffic from these clients that isn't leaving through the VPN.
@@ChristianMcDonald thanks for the screen shots much appreciated. For my test I am attempting to have two devices that fall in the same private of 192.168.2.x does it need to be on a separate private network and if so can I just manually add a static IP address directly on the two devices?
Christian, I'm following this closely as your implementation for PFSense makes the most sense to me, and I'd really like to migrate my employer away from OpenVPN (beautifully simple to set up, but horrendously slow in use, and the CA I have to maintain for it is really starting to annoy me - not PFSense I should add, but your implementation has taught me so much about WireGuard in a very short time). Any chance you could do a guide for setting up a simple "road warrior" configuration - someone outside the firewall talking to (anything on) the LAN? I've tried following another video (but again, not PFSense), and I just can't get traffic to route beyond the firewall (when I can get it to talk at all)? Thanks for the videos/content in any case.
So, I spent a productive hour or so rewatching this video a few times and figured out that your "Remote Access" tun_wg0 is already a simple "Road Warrior" configuration. Paying attention to some of the "background" views, I extracted enough info to get my wee lab road warrior config working (using PFSense, at least). Again, many thanks for the guide Christian.
@@MurrayCrane I just starting my journey going through the same process, so it's heartening to know someone else had success a year ago. Hope it's still running well for you!
Cool introduction on how to use your package. Thank your for your awesome development on this wg package!! One question: Why do we exactly need the NAT rule? I did not get that.
Because when traffic gets routed out one of the Mullvad tunnels, we need to make sure the outgoing packet's source address is rewritten to be the interface address of that particular mullvad tunnel. Otherwise, Mullvad will receive a packet with a source address that it knows nothing about (e.g. your LAN, etc.). There is nothing special here in regards to NAT. That step is par for the course
WireGuard tunnels are up as long as the interface is up. So once you create the tunnel and assign a peer, assuming you’ve got a pass firewall rule on your listenport , it will start handshaking
@@ChristianMcDonald thank you for the reply. Should I assume there is a connection once I see a handshake? Additionally should I connect my switch to the lan port I assigned the wireguard interface to for wireguard to work?
I think I ran into an issue, I have a site-to-site tunnel using wireguard, one end on pfsense(ISP->pfsense, public static IP) and the other end on a raspberry pi(ISP->their device->pi, public dynamic IP- which I map to one of my subdomain using a script -30 min ttl). On pfsense side, the peer endpoint is this subdomain, it seems to get stuck with that IP address. It doesn't seem to retry/look up the new record after the ttl expiry, meaning my tunnel will be broken once my ISP issues new IP on raspberry pi side. I would have to stop/start fiddle with end point to re-stablish tunnel. This can be addressed somehow?
Yeah we need to handle DNS resolution better for sure. This is something I’m going to focus on first thing next week, build a fix and make sure to include FQDN endpoints in my test matrix.
I was following all the way to the firewall rules. I don't have a wireguard remote access tunnel and I got completely lost after this. I'm literally stuck at 22 minutes in.
Just an FYI to others. You don't really need to do the firewall rules and it seems to be working fine without it. @22min, your system should be working
Hi. Thank you for the hard work. This brilliant. I ran into an issue where after setting the up monitoring to 8.8.8.8 and 8.8.4.4 I had 100% packet loss plus no increase in ping. Any ideas?
Same problem for me. If I disable monitoring I get timeouts on connections if I try to use it. I had it working on the previous defunct wireguard and I have a working openvpn. I am at a lost.
Two years later and your effort is still paying off. Thank you sir. You explained the /32 interface in a way no one else had for me. Much appreciated!
Thank you for making this very detailed tutorial. Excellent delivery, as usual!
Great video. After reading other complicated instruction, your video gave me the impression that the setup needs not to be that complicated. Now I have setup one of my many subnets dedicated to my VPN provider. Such subnet associated with one SSID so that any devices connected to the SSID will get VPN automatically.
Thanks for your Pfsense and Wireguard videos. Very helpful.
Brilliant. Looking forward to more and Thank you, too you and the other contributors for taking on this project!!
Never considered doing this, thank you for your time and information.
As a smooth brained user of this stuff; thanks, its-a v nice.
24:57 I couldn't do this part. When I went to NAT, select hybrid, and then create the mapping, on the interface, I could select Mullvad(interface group), but for the Translation Address the option to select the interface address wasn't there, so I just had to create 2 maps, 1 for each of the tunnels but still using Mullvad(interface group) for the interface, and use each Mullvad interface for the translation address. It works, just annoying to have to create 2 mappings per vlan
Great guide, appreciate the clarification regarding the interface + gateway setup!
Thanks for making this video, it was fantastic and really helped me configure my router!
Thank you, this helped me set up my wireguard stuff. Very much appreciated.
This is awesome. Thank you for the hard work and guide!
Hey thanks so much!
Thank you for your video!
I was following along nicely right up until @23:11 at which point, those 2 Firewall Rules you have listed under the WG tab, do not even exist for me.
So once you started editing them, that was where my adventure came to an end.
To be able to follow along, should I first look up how to make "a remote access tunnel"?
OK so I figured this out. He's connecting using a pre-established wireguard remote tunnel, which he's set up already, so it makes sense to go there. For me, I'm coming in from a different assignment (the ethernet port that I have my wifi box connected to), so I go there instead. If it's indeed the place that you are connecting from, you'll see those two rules there. All you have to go is go to the bottom and assign the gateway
Thanks for showing how to perform a fail over for two mullvad gateways coming from a specific IP. I have a question if you have time. I setup a Proton and a Strongvpn for internal devices associated in alias. It works for the two alias one for Proton and the other for Strongvpn. What would be the best way for me to use the fail over? I would like for Strongvpn to be the backup for Proton.
Cool video - how do you let WG ride on top of a WANGROUP ? I don't seem to find any way to tell WG which interface/group for the encrypted tunnel traffic to take. I have a WANGROUP grouping WAN and WAN2 to failover between two different providers and want my WG to send traffic to the interface that is up.
When I use a single OUTBOUND NAT rule with the INTERFACE GROUP as you showed in your video, I cannot get out to any website - although, I am able to ping websites. So instead, I had to undo the interface group and create separate NAT rules for each interface to get it to work. I'm using pfSense version 2.5.2 so perhaps this is a bug specific to this version. Anyone else having this issue?
Hmm, I will look into this and see if I can replicate. Thanks for the feedback.
Holy shit thank you SO MUCH for this. I've been banging my head on the issue for 6 hours til I read this comment. Thanks A TON!
@@nightfallen0420 I'm glad to hear this helped you. I've upgraded to 2.6.0 but did not get a chance to test with interface groups. Perhaps the bug has been fixed in that version.
@@michaelk412 nope I'm on 2.6.0 and it still occurred
@@nightfallen0420 Hmmm.. thanks for the heads up so I won't waste my time trying it on 2.6.0. Christian never replied back regarding this issue and I'm not sure why it seems to work fine for him in this video. Doing it our way is messy, but at least it works. I also found someone in the pfsense user forums that had the same issue, so it's not just us.
is there anyway to get the mullvad desktop app to work with pfsense pfblocker?
pfblocker works but only when mullvad is not running. when mullvad is running, it no longer uses the pfsense pfblocker dns resolver :{
any solution?
Great guide, how can port forwarding be done?
Tutorial was very detailed and I FINALLY got Mullvad to work. Thank you so much!
I followed the steps and Mullvad detects a DNS leak. Did I miss a setting somewhere?
There are indeed some extra considerations for plugging DNS leaks. I need to make another video and discuss the options here. But basically if you are using pfSense as your DNS resolver (via Unbound), you are doing your own recursive resolving against the DNS root nameservers. This is why Mullvad is detecting a "DNS Leak" but the DNS server is reported as your own public v4 address. As long as pfSense is configured to only use Unbound and Unbound is NOT in forwarding mode, you are fine.
Hi….very well explained, but how do i apply to my situation in order to have all my LAN network routed through the vpn tunnel if my isp in order to give me the public IP wants me to have a PPPoE connection + VLAN tagged?
Also what if I want to use a different vpn provider?
Thanks for sharing buddy.
For anyone following this guide still, make sure you use different listening ports for each tunnel. When you make the config file, after generating the private key, you should be able to enter a custom listening port by clicking "advanced settings." If you don't use different listening ports, one of the tunnel gateways will remain offline.
I'm feeling particularly stupid. I was able to configure the original pfsense Wireguard without issue, I did so with Mulvad, Nord and others and even wrote guides that helped other people. But I have been unable to get the new plugin to work. I've now followed this guide step by step up to the part where you say that handshaking should have started. Nope, I get no handshake. I've deleted everything several times and re-done it, but i can never handshake. Packet captures show nothing on UDP port 51820 on the WAN port. I'm at a loss.
This is very helpful Christian, thank you. I’m currently stuck with a configuration issue that is preventing me from accessing port 443 and 80 only through the VPN tunnel.
Do you offer paid consultations? If so, what’s the best way to get in touch with you?
Nice! Thank you for your effort!
This might seem like a waste of time, but any chance you could show how to set up a Wireguard privacy VPN to go to one specific VLAN? My hopes are to create a VLAN where I can just throw devices on and immediately have a connection via VPN. I tried using some of this video and was able to get the Wireguard set up completed, but am getting stuck at setting it to a specific interface that I have a VLAN pointing to. I've tried 1:1 NAT and still no luck, but I am probably missing something super small.
Create an IP Alias where you can set specific devices by IP or IP range for an entire subnet if you want. Then (22:38) when you create the firewall rules for the wireguard group you swap the source IP range with the Alias you created. You have to make sure you also have rules on the relevant source interfaces redirecting internet traffic to the VPN gateway.
This was super helpful, thanks man!
How to you set a rule so certain devices go through wireguard Mullvad while most go through ISP?
Create an alias with the devices that you want to bypass Mullvad and create a pass rule to allow this alias out the default gateway. Put this rule above the mullvad policy route rule
@@ChristianMcDonald can i create static addresses and under type on alias select type url (IPS) or should choose a different type?
I would buy you beer if I can make this work with Mullvad auto connecting to us sever without the need of system configuration like you did on the laptop. I followed the video pretty closely and did the alias place my entire subnet range in there to not use wireguard anything outside of it like static IP address should be allowed so i thought. The remote address that Is the only part I do not have i left source empty as i was sure what to add there.
@@angelorestrepo imgur.com/a/OmZ7GSi I put together some screenshots for you. Basically you create an Alias that contains IPs of the clients on your LAN that you want to use the VPN as their gateway. You might also use DHCP static assignments here as well (make sure you disable 'Private Address' mode on iOS or Android as this causes your MAC address to change randomly). Then, create a firewall rule above your default LAN to any rule that pushes these clients out your VPN gateway. If you want a VPN kill switch, enable 'Skip rules when Gateway is down` and create a block rule to catch and block traffic from these clients that isn't leaving through the VPN.
@@ChristianMcDonald thanks for the screen shots much appreciated. For my test I am attempting to have two devices that fall in the same private of 192.168.2.x does it need to be on a separate private network and if so can I just manually add a static IP address directly on the two devices?
Christian, I'm following this closely as your implementation for PFSense makes the most sense to me, and I'd really like to migrate my employer away from OpenVPN (beautifully simple to set up, but horrendously slow in use, and the CA I have to maintain for it is really starting to annoy me - not PFSense I should add, but your implementation has taught me so much about WireGuard in a very short time). Any chance you could do a guide for setting up a simple "road warrior" configuration - someone outside the firewall talking to (anything on) the LAN? I've tried following another video (but again, not PFSense), and I just can't get traffic to route beyond the firewall (when I can get it to talk at all)?
Thanks for the videos/content in any case.
So, I spent a productive hour or so rewatching this video a few times and figured out that your "Remote Access" tun_wg0 is already a simple "Road Warrior" configuration. Paying attention to some of the "background" views, I extracted enough info to get my wee lab road warrior config working (using PFSense, at least). Again, many thanks for the guide Christian.
@@MurrayCrane I just starting my journey going through the same process, so it's heartening to know someone else had success a year ago. Hope it's still running well for you!
Cool introduction on how to use your package. Thank your for your awesome development on this wg package!!
One question: Why do we exactly need the NAT rule? I did not get that.
Because when traffic gets routed out one of the Mullvad tunnels, we need to make sure the outgoing packet's source address is rewritten to be the interface address of that particular mullvad tunnel. Otherwise, Mullvad will receive a packet with a source address that it knows nothing about (e.g. your LAN, etc.). There is nothing special here in regards to NAT. That step is par for the course
When you were done with everything on the pfsense side how did you activate the wireguard before testing? Thank you
WireGuard tunnels are up as long as the interface is up. So once you create the tunnel and assign a peer, assuming you’ve got a pass firewall rule on your listenport , it will start handshaking
@@ChristianMcDonald thank you for the reply. Should I assume there is a connection once I see a handshake? Additionally should I connect my switch to the lan port I assigned the wireguard interface to for wireguard to work?
You won’t be able to assign WireGuard tunnel to a physical port. WireGuard is layer 3 tunnel, so you can’t bridge to a layer 2 network.
But yes, if you’re handshaking that means the crypto is up , so assuming both ends have addressing , you should be able to pass traffic
I think I ran into an issue, I have a site-to-site tunnel using wireguard, one end on pfsense(ISP->pfsense, public static IP) and the other end on a raspberry pi(ISP->their device->pi, public dynamic IP- which I map to one of my subdomain using a script -30 min ttl).
On pfsense side, the peer endpoint is this subdomain, it seems to get stuck with that IP address. It doesn't seem to retry/look up the new record after the ttl expiry, meaning my tunnel will be broken once my ISP issues new IP on raspberry pi side. I would have to stop/start fiddle with end point to re-stablish tunnel. This can be addressed somehow?
Yeah we need to handle DNS resolution better for sure. This is something I’m going to focus on first thing next week, build a fix and make sure to include FQDN endpoints in my test matrix.
@@ChristianMcDonald Thanks!! 😊
I was following all the way to the firewall rules. I don't have a wireguard remote access tunnel and I got completely lost after this. I'm literally stuck at 22 minutes in.
Just an FYI to others. You don't really need to do the firewall rules and it seems to be working fine without it. @22min, your system should be working
This is cool! Thank you!
Hi. Thank you for the hard work. This brilliant. I ran into an issue where after setting the up monitoring to 8.8.8.8 and 8.8.4.4 I had 100% packet loss plus no increase in ping. Any ideas?
Same problem for me. If I disable monitoring I get timeouts on connections if I try to use it. I had it working on the previous defunct wireguard and I have a working openvpn. I am at a lost.
I had the same problem - I had the allowed IPs set on the peers set to 0.0.0.0/32 instead of 0.0.0.0/0 by accident.
I get offline packetloss for gateways
This is cool! Thank you!