Help with Mullvad on er-x

[droidforever]

Here is my hardware:
Spectrum passthrough modem
Edgerouter X (Connects on 172.16.16.1 configured on eth4)
TL-SG108E Switch (IP 192.168.1.2)
Linksys Router in Bridge Mode (IP 192.168.1.3)
AmpedAlly whole home mesh network on eth2 which has been removed from the VLAN (IP 192.168.3.1) (it appears to get its internet address on IP 192.168.1.38) Eth2 is wired to WAN as this system can not be used an access point.

My setup:
set interfaces wireguard wg0 address {PEED_ADDR}
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 peer {PEER_PUBKEY} endpoint {PEER_ENDPOINT}
set interfaces wireguard wg0 peer {PEER_PUBKEY} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key

WG Nat

set service nat rule 5000 description 'mullvad-nat'
set service nat rule 5000 outbound-interface wg0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
commit

Routing to force connections through wg0 and fail open

set protocols static table 1 description 'table to force wg0:mullvad'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255
commit

Route anything DHCPing to ER-X through wireguard routing

set firewall modify mullvad_route rule 10 description 'mullvad-vpn'
set firewall modify mullvad_route rule 10 source address 192.168.1.0/24
set firewall modify mullvad_route rule 10 modify table 1
commit

set interfaces switch switch0 firewall in modify mullvad_route
commit

Set edgerouter to use our own choice of DNS server, not the ISP's DHCP setting

set interfaces ethernet eth0 dhcp-options name-server no-update
set system name-server 127.0.0.1
set service dns forwarding system
set protocols static interface-route 1.1.1.1/32 next-hop-interface wg0
set protocols static interface-route 1.0.0.1/32 next-hop-interface wg0

Set client dns-server directly to a public IP to ensure we don't leak DNS requests

Traffic originating from the er-x won't be routed to the firewall

set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns forwarding name-server 1.1.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns forwarding name-server 1.0.0.1
delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1
commit;save;

I have a mistake somewhere as after configuration I have no access to the internet. Or on a couple occasions I would have access to my main computer on the WG interface but nothing else.

Any help on pointing out where my errors are would be greatly appreciated.

[cschlesselmann]

I actually set this up just today.
Relevant part of the config:

firewall {
    modify PBR {
        rule 10 {
            modify {
                table 2
            }
            source {
                address 10.9.11.0/24
            }
        }
    }
    name mgmt-wan {
        default-action accept
    }
    name wan-mgmt {
        default-action drop
        rule 10 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    switch switch0 {
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    vid 11
                }
            }
            vlan-aware enable
        }
        vif 11 {
            address 10.9.11.1/24
            firewall {
                in {
                    modify PBR
                }
            }
        }
    }
    wireguard wg1 {
        address xxx.xxx.xxx.xxx/32
        peer <MULLVAD PUB KEY> {
            allowed-ips 0.0.0.0/0
            endpoint xxx.xxx.xxx.xxx:51820
        }
        private-key ****************
        route-allowed-ips false
    }
}
protocols {
    static {
        table 2 {
            interface-route 0.0.0.0/0 {
                next-hop-interface wg1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name MULLVAD {
            authoritative enable
            subnet 10.9.11.0/24 {
                default-router 10.9.11.1
                dns-server 193.138.218.74
                lease 86400
                start 10.9.11.100 {
                    stop 10.9.11.200
                }
            }
        }
    }
    nat {
        rule 5002 {
            outbound-interface wg1
            type masquerade
        }
    }
}
zone-policy {
    zone mgmt {
        default-action drop
        description "Management Network"
        from wan {
            firewall {
                name wan-mgmt
            }
        }
        interface switch0.11
    }
    zone wan {
        default-action drop
        description "WAN Network"
        from mgmt {
            firewall {
                name mgmt-wan
            }
        }
        interface eth0
        interface wg1
    }
}

Note: I am using a zone based firewall config, you might need to adjust that to your configuration

[plindf]

I'm having the same issue, but not using zone based firewall config. @droidforever did you got it working with your config?

[droidforever]

No I never got it working. I just ordered A Ubiquiti Access Point. Once that comes I will try again with the above suggestions to the config.

[plindf]

Actually i got it working with basically your configuration (Bahnhof wireguard). I did play around alot with the wireguard config, and saw weird routes being in use even though i deleted those settings. So a reboot did the trick. I guess im affected by missing clean up code such as #116. However a subnet collision with my network and Bahnhof wireguard had also to be resolved. I dont know about Mullvad, and "general" discussions like this maybe should not be in a github issue. I will be happy to help you out in another forum. Anyway, the throughput is superior compared to OpenVPN. Great work everyone involved!

[droidforever]

I thought I had this working but I was unable to go to any site requiring TLS encryption such as yahoo mail. Here is the original guide I tried to follow:
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description wireguard
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 destination port 51820
set interfaces wireguard wg0 address {PEED_ADDR}
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 peer {PEER_PUBKEY} endpoint {PEER_ENDPOINT}
set interfaces wireguard wg0 peer {PEER_PUBKEY} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key
set service nat rule 5000 description 'mullvad-nat'
set service nat rule 5000 outbound-interface wg0
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type masquerade
set protocols static table 1 description 'table to force wg0:mullvad'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255
set firewall modify mullvad_route rule 10 description 'mullvad-vpn'
set firewall modify mullvad_route rule 10 source address 192.168.1.0/24
set firewall modify mullvad_route rule 10 modify table 1
set interfaces switch switch0 firewall in modify mullvad_route
set interfaces ethernet eth0 dhcp-options name-server no-update
set system name-server 127.0.0.1
change to "edit system"
set name-server 1.1.1.1
"exit"
set service dns forwarding system
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 1.0.0.1
delete service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.1

Can anyone please tell me what is wrong with these commands via CLI. Thank you

[vswee]

Have you tried set interfaces wireguard wg0 mtu 1420 ?

[plindf]

Check your PRIVATE_NETS firewall/nat group (if you have used the setup wizard in your router), the private network definitions may overlap with the ip range from mullvad..

[bneijt]

Just my two cents: https://github.com/bneijt/mullvad-edgerouter-x/blob/master/mullvad-example_config.txt
For IPv6 I had to add a full address NAT via iptables directly: https://community.ui.com/questions/How-do-I-do-full-address-translation-NAT-for-IPv6-on-my-EdgeRouter-X-in-a-reboot-persistent-manner/b701cd90-df34-4c73-bbf9-d421eb579d12
My first blog post on this was https://bneijt.nl/blog/post/wireguard-vpn-using-an-edgerouter-x/
Hope you get everything working as you want by piecing the different comments and links on the internet together!

[droidforever]

So if I understand the above I would replace
edit protocols static interface-route 10.8.0.1/32
with
edit protocols static interface-route 192.168.1.1/24
then I would type "exit"
Then "edit system"
set description 'in-tunnel dns'
exit
As I want to use the existing routing configuration of 192.168.1.1/24?

[bneijt]

10.8.0.1/32 is the private Mullvad DNS server (see https://mullvad.net/en/help/dns-leaks/ for more information on the address), so you can also do without that if you want and just use 1.1.1.1 and 1.0.0.1 if you want more privacy.
If you want to use 10.8.0.1 as your DNS resolver, add it and manually add the interface route to make sure your router knows that that address can be found behind the wireguard interface.

[droidforever]

@bneijt I followed your guide on https://github.com/bneijt/mullvad-edgerouter-x/blob/master/mullvad-example_config.txt but when I get to set description 'in-tunnel dns' I get an error about invalid configuration so I tried "edit system" and still got the same error. Your help with this would be greatly appreciated. Thank you

[vswee]

@droidforever Try set description "in-tunnel dns" with " instead of '

[bneijt]

@droidforever my mistake, the description node is invalid at that position. I'll remove it from the configuration example. Thank you for pointing this out! Feel free to leave out the set description as it is only there for extra documentation.