search

Lochnair / vyatta-wireguard

GNU General Public License v3.0
705 stars 37 forks source link

Help with Mullvad on er-x #128

Open droidforever opened 4 years ago

droidforever commented 4 years ago

Here is my hardware: Spectrum passthrough modem Edgerouter X (Connects on 172.16.16.1 configured on eth4) TL-SG108E Switch (IP 192.168.1.2) Linksys Router in Bridge Mode (IP 192.168.1.3) AmpedAlly whole home mesh network on eth2 which has been removed from the VLAN (IP 192.168.3.1) (it appears to get its internet address on IP 192.168.1.38) Eth2 is wired to WAN as this system can not be used an access point.

My setup: set interfaces wireguard wg0 address {PEED_ADDR} set interfaces wireguard wg0 listen-port 51820 set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 peer {PEER_PUBKEY} endpoint {PEER_ENDPOINT} set interfaces wireguard wg0 peer {PEER_PUBKEY} allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 private-key /config/auth/wg.key

WG Nat

set service nat rule 5000 description 'mullvad-nat' set service nat rule 5000 outbound-interface wg0 set service nat rule 5000 source address 192.168.1.0/24 set service nat rule 5000 type masquerade commit

Routing to force connections through wg0 and fail open

set protocols static table 1 description 'table to force wg0:mullvad' set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0 set protocols static table 1 route 0.0.0.0/0 blackhole distance 255 commit

Route anything DHCPing to ER-X through wireguard routing

set firewall modify mullvad_route rule 10 description 'mullvad-vpn' set firewall modify mullvad_route rule 10 source address 192.168.1.0/24 set firewall modify mullvad_route rule 10 modify table 1 commit

set interfaces switch switch0 firewall in modify mullvad_route commit

Set edgerouter to use our own choice of DNS server, not the ISP's DHCP setting

set interfaces ethernet eth0 dhcp-options name-server no-update set system name-server 127.0.0.1 set service dns forwarding system set protocols static interface-route 1.1.1.1/32 next-hop-interface wg0 set protocols static interface-route 1.0.0.1/32 next-hop-interface wg0

Set client dns-server directly to a public IP to ensure we don't leak DNS requests

Traffic originating from the er-x won't be routed to the firewall

set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns forwarding name-server 1.1.1.1 set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns forwarding name-server 1.0.0.1 delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1 commit;save;

I have a mistake somewhere as after configuration I have no access to the internet. Or on a couple occasions I would have access to my main computer on the WG interface but nothing else.

Any help on pointing out where my errors are would be greatly appreciated.

cschlesselmann commented 4 years ago

I actually set this up just today. Relevant part of the config:

firewall {
    modify PBR {
        rule 10 {
            modify {
                table 2
            }
            source {
                address 10.9.11.0/24
            }
        }
    }
    name mgmt-wan {
        default-action accept
    }
    name wan-mgmt {
        default-action drop
        rule 10 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    switch switch0 {
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    vid 11
                }
            }
            vlan-aware enable
        }
        vif 11 {
            address 10.9.11.1/24
            firewall {
                in {
                    modify PBR
                }
            }
        }
    }
    wireguard wg1 {
        address xxx.xxx.xxx.xxx/32
        peer <MULLVAD PUB KEY> {
            allowed-ips 0.0.0.0/0
            endpoint xxx.xxx.xxx.xxx:51820
        }
        private-key ****************
        route-allowed-ips false
    }
}
protocols {
    static {
        table 2 {
            interface-route 0.0.0.0/0 {
                next-hop-interface wg1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name MULLVAD {
            authoritative enable
            subnet 10.9.11.0/24 {
                default-router 10.9.11.1
                dns-server 193.138.218.74
                lease 86400
                start 10.9.11.100 {
                    stop 10.9.11.200
                }
            }
        }
    }
    nat {
        rule 5002 {
            outbound-interface wg1
            type masquerade
        }
    }
}
zone-policy {
    zone mgmt {
        default-action drop
        description "Management Network"
        from wan {
            firewall {
                name wan-mgmt
            }
        }
        interface switch0.11
    }
    zone wan {
        default-action drop
        description "WAN Network"
        from mgmt {
            firewall {
                name mgmt-wan
            }
        }
        interface eth0
        interface wg1
    }
}

Note: I am using a zone based firewall config, you might need to adjust that to your configuration

plindf commented 4 years ago

I'm having the same issue, but not using zone based firewall config. @droidforever did you got it working with your config?

droidforever commented 4 years ago

No I never got it working. I just ordered A Ubiquiti Access Point. Once that comes I will try again with the above suggestions to the config.

plindf commented 4 years ago

Actually i got it working with basically your configuration (Bahnhof wireguard). I did play around alot with the wireguard config, and saw weird routes being in use even though i deleted those settings. So a reboot did the trick. I guess im affected by missing clean up code such as #116. However a subnet collision with my network and Bahnhof wireguard had also to be resolved. I dont know about Mullvad, and "general" discussions like this maybe should not be in a github issue. I will be happy to help you out in another forum. Anyway, the throughput is superior compared to OpenVPN. Great work everyone involved!

droidforever commented 4 years ago

I thought I had this working but I was unable to go to any site requiring TLS encryption such as yahoo mail. Here is the original guide I tried to follow: set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description wireguard set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 destination port 51820 set interfaces wireguard wg0 address {PEED_ADDR} set interfaces wireguard wg0 listen-port 51820 set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 peer {PEER_PUBKEY} endpoint {PEER_ENDPOINT} set interfaces wireguard wg0 peer {PEER_PUBKEY} allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 private-key /config/auth/wg.key set service nat rule 5000 description 'mullvad-nat' set service nat rule 5000 outbound-interface wg0 set service nat rule 5000 source address 192.168.1.0/24 set service nat rule 5000 type masquerade set protocols static table 1 description 'table to force wg0:mullvad' set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0 set protocols static table 1 route 0.0.0.0/0 blackhole distance 255 set firewall modify mullvad_route rule 10 description 'mullvad-vpn' set firewall modify mullvad_route rule 10 source address 192.168.1.0/24 set firewall modify mullvad_route rule 10 modify table 1 set interfaces switch switch0 firewall in modify mullvad_route set interfaces ethernet eth0 dhcp-options name-server no-update set system name-server 127.0.0.1 change to "edit system" set name-server 1.1.1.1 "exit" set service dns forwarding system set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 1.0.0.1 delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1

Can anyone please tell me what is wrong with these commands via CLI. Thank you

vswee commented 4 years ago

Have you tried set interfaces wireguard wg0 mtu 1420 ?

plindf commented 4 years ago

Check your PRIVATE_NETS firewall/nat group (if you have used the setup wizard in your router), the private network definitions may overlap with the ip range from mullvad..

bneijt commented 4 years ago

Just my two cents: https://github.com/bneijt/mullvad-edgerouter-x/blob/master/mullvad-example_config.txt For IPv6 I had to add a full address NAT via iptables directly: https://community.ui.com/questions/How-do-I-do-full-address-translation-NAT-for-IPv6-on-my-EdgeRouter-X-in-a-reboot-persistent-manner/b701cd90-df34-4c73-bbf9-d421eb579d12 My first blog post on this was https://bneijt.nl/blog/post/wireguard-vpn-using-an-edgerouter-x/ Hope you get everything working as you want by piecing the different comments and links on the internet together!

droidforever commented 4 years ago

So if I understand the above I would replace edit protocols static interface-route 10.8.0.1/32 with edit protocols static interface-route 192.168.1.1/24 then I would type "exit" Then "edit system" set description 'in-tunnel dns' exit As I want to use the existing routing configuration of 192.168.1.1/24?

bneijt commented 4 years ago

10.8.0.1/32 is the private Mullvad DNS server (see https://mullvad.net/en/help/dns-leaks/ for more information on the address), so you can also do without that if you want and just use 1.1.1.1 and 1.0.0.1 if you want more privacy. If you want to use 10.8.0.1 as your DNS resolver, add it and manually add the interface route to make sure your router knows that that address can be found behind the wireguard interface.

droidforever commented 4 years ago

@bneijt I followed your guide on https://github.com/bneijt/mullvad-edgerouter-x/blob/master/mullvad-example_config.txt but when I get to set description 'in-tunnel dns' I get an error about invalid configuration so I tried "edit system" and still got the same error. Your help with this would be greatly appreciated. Thank you

vswee commented 4 years ago

@droidforever Try set description "in-tunnel dns" with " instead of '

bneijt commented 4 years ago

@droidforever my mistake, the description node is invalid at that position. I'll remove it from the configuration example. Thank you for pointing this out! Feel free to leave out the set description as it is only there for extra documentation.