I am so glad when this particular video came out that I found it. For some reason when the latest update came out for Opnsense it broke IPv6. I thought it was the ISP so I decided to put the ISP's own router in place to see if IPv6 was not working however I discovered that it was not the ISP. After couple days of trying things in Opnsense I discovered your video on Opnsense and decided to start from scratch. They way you implemented Opnsense was not the same for what I had. You made it a lot simpler. Some thing I did was added DNS redirects since I have DNS to TLS set up as well as Blacklists. I can't wait to see your videos for the kill switch and anything other Tricks you know with Opnsense.
So glad it was helpful! And the DNS redirects is a great approach especially when you have something like Adguard or the blacklists you mentioned already in use. Thanks so much for watching!
Hi Andrew, For the outbound nat rule it is better to do it on the interface itself and not on the wireguard group, if you have multiple connections you will have problems with this rule. For example, I have 5 different connections to mullvad and airvpn, with the nate rule on the wireguard group that wouldn't work. With the firewall rules I would also be a bit clearer, since people with your rule can lock themselves out of the lan network, better to first create an alias with the rfcranges and the top line: Action: pass Interface: LAN Protocol: any Source: LAN net Destination: rfcranges Gateway: default The rule of yours then comes as 2nd. This way, people always have access to the LAN network.
Really appreciate this comment. It is a great catch I had not anticipated 🤦♂️I am going to revisit these videos and put together something a bit easier and more flexible. Always appreciate helpful comments like this. Thanks for watching!
andrew the 🐐 no 🧢 i just setup opnsense on a nuc and this is exactly what I needed. Is the last step the best way to quickly enable/disable it? I'm also curious about setting up multiple vpn configurations and how to best switch between them.
Thank you! The last step is a great easy way to disable/enable it. You can also easily switch between different gateways if you have multiple VPN connections. Mine was to USA Virginia, but you could have gateways to different countries and just use the dropdown in the firewall rule to switch easily between them. Let me know if you have any more questions, and thanks for the comment!
Thank you for the great video! I already set up a WG instance using OPNsense as a VPN server. Should I delete this existing instance before proceed with your setup? Thanks again.
Sounds like you have a WG VPN into you OPNsense firewall to access the network externally. If that is the case, you do not need to remove it. The approach in this video and that can run together. You can VPN into OPNsense with the setup you already have, and anything on the network (or select machines) will go out over the VPN to Mullvad in this case. Hope that makes sense! Let me know if you still have questions.
@@Whats.New.Andrew Thank you for your help. I still have two questions here: 1. In this video you used a private IP (dual NAT?) as your WAN_GW interface, and used 10.64.0.1 as your Mullvad_WG_GW address. I have a public IP for my WAN, what IP should I use for the Mullvad VPN GW? 2. If I want to have certain hosts in my network to bypass Mullvad, can I edit the "AllowedIPs" instead of configuring them under the firewall rules? Thanks again.
Sorry to be slow responding. Your comment got blocked for some reason, so I am just now seeing it. For number 1, 10.64.0.1 is actually an internal IP on Mullvad's network versus mine. It is a designated IP on their side that points to their DNS servers, so once you are connected it uses that for DNS. It is not actually on my network (sorry for the confusion there). For number 2, yes, you should be able to modify the allowed IPs and only those IPs would be allowed to use the connection. I typically do it with firewall rules and alias lists, but there are almost always more than one way to do things. Allowed IPs is a great option, but you will just need to remember to add/remove there versus using an alias. Good luck, and thanks for watching!
Great question. I typically use the DNS directly from Mullvad, but I will look to put something together for this. I have not done it before, but it makes sense that it would be a firewall rule to route port 53 to your Adguard and all other traffic over the VPN.
The perfect tutorial on setting up Mullvad with Wireguard on OPNSense. Thanks!
Thank you. I really appreciate that. Glad it was helpful for you!
Thanks for this very helpful video. Great pacing and nice editing. No bs, straight to the point. You deserve more subs!
Thank you! I really appreciate that. Thanks for watching!
@@Whats.New.Andrew yw! btw... when is the killswitch video coming out? super keen to learn this
@@twbadc it's out there now. Here's the link: ua-cam.com/video/of1pOEeZGzo/v-deo.html
I am so glad when this particular video came out that I found it. For some reason when the latest update came out for Opnsense it broke IPv6. I thought it was the ISP so I decided to put the ISP's own router in place to see if IPv6 was not working however I discovered that it was not the ISP. After couple days of trying things in Opnsense I discovered your video on Opnsense and decided to start from scratch. They way you implemented Opnsense was not the same for what I had. You made it a lot simpler.
Some thing I did was added DNS redirects since I have DNS to TLS set up as well as Blacklists.
I can't wait to see your videos for the kill switch and anything other Tricks you know with Opnsense.
So glad it was helpful! And the DNS redirects is a great approach especially when you have something like Adguard or the blacklists you mentioned already in use. Thanks so much for watching!
Great video thanks. Very clear and concise instructions. When do you anticipate the 'Kill switch' video will be uploaded?
Thank you very much! The Kill Switch video was just uploaded and is set to go live in about 12 hours!
@@Whats.New.Andrew Great, I'll look out for it!
Hi Andrew, For the outbound nat rule it is better to do it on the interface itself and not on the wireguard group, if you have multiple connections you will have problems with this rule. For example, I have 5 different connections to mullvad and airvpn, with the nate rule on the wireguard group that wouldn't work. With the firewall rules I would also be a bit clearer, since people with your rule can lock themselves out of the lan network, better to first create an alias with the rfcranges and the top line: Action: pass Interface: LAN Protocol: any Source: LAN net Destination: rfcranges Gateway: default The rule of yours then comes as 2nd. This way, people always have access to the LAN network.
Really appreciate this comment. It is a great catch I had not anticipated 🤦♂️I am going to revisit these videos and put together something a bit easier and more flexible. Always appreciate helpful comments like this. Thanks for watching!
What if I want to use tailscale for remote access? Does it work or do I have to change something?
It should still work perfectly for remote access. I still use it for certain things, so you should be good to go. Thanks for watching!
andrew the 🐐 no 🧢 i just setup opnsense on a nuc and this is exactly what I needed. Is the last step the best way to quickly enable/disable it? I'm also curious about setting up multiple vpn configurations and how to best switch between them.
Thank you! The last step is a great easy way to disable/enable it. You can also easily switch between different gateways if you have multiple VPN connections. Mine was to USA Virginia, but you could have gateways to different countries and just use the dropdown in the firewall rule to switch easily between them. Let me know if you have any more questions, and thanks for the comment!
Thank you for the great video! I already set up a WG instance using OPNsense as a VPN server. Should I delete this existing instance before proceed with your setup? Thanks again.
Sounds like you have a WG VPN into you OPNsense firewall to access the network externally. If that is the case, you do not need to remove it. The approach in this video and that can run together. You can VPN into OPNsense with the setup you already have, and anything on the network (or select machines) will go out over the VPN to Mullvad in this case. Hope that makes sense! Let me know if you still have questions.
@@Whats.New.Andrew Thank you for your help. I still have two questions here: 1. In this video you used a private IP (dual NAT?) as your WAN_GW interface, and used 10.64.0.1 as your Mullvad_WG_GW address. I have a public IP for my WAN, what IP should I use for the Mullvad VPN GW? 2. If I want to have certain hosts in my network to bypass Mullvad, can I edit the "AllowedIPs" instead of configuring them under the firewall rules? Thanks again.
Sorry to be slow responding. Your comment got blocked for some reason, so I am just now seeing it. For number 1, 10.64.0.1 is actually an internal IP on Mullvad's network versus mine. It is a designated IP on their side that points to their DNS servers, so once you are connected it uses that for DNS. It is not actually on my network (sorry for the confusion there). For number 2, yes, you should be able to modify the allowed IPs and only those IPs would be allowed to use the connection. I typically do it with firewall rules and alias lists, but there are almost always more than one way to do things. Allowed IPs is a great option, but you will just need to remember to add/remove there versus using an alias. Good luck, and thanks for watching!
can ypu please make a video of somwthimg similar but incase on has mutilple vlans.. on how to route them to mullad but keep adguard as the dns server
ty
Great question. I typically use the DNS directly from Mullvad, but I will look to put something together for this. I have not done it before, but it makes sense that it would be a firewall rule to route port 53 to your Adguard and all other traffic over the VPN.
Thank you
I tried that and I am able to use adguaed finally but I lose inter-vlan communication.. so you have a way around this...
Use unbound.