pfSense WireGuard Guide Series 001 - Mullvad Failover

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello christian here with another pf sense wireguard video in this video series i want to spend some time talking about actually using the package in different use cases and in this first video i want to talk about configuring pfsense to use wire to use mulvad wire guard tunnels now this video series this particular video is going to strictly apply to mulvad but because wireguard configurations are so minimal and simplistic this really should apply to any um privacy vpn provider that's um providing you with wireguard compatible configuration files so this should work for you know like i said other other providers i'm just testing against molvad because that's currently the subscription that i have and the provider that i'm that i've been testing with up until this point um so we're going to talk about how to set this up and something else that i'm also going to demonstrate too which is totally optional but something that i always think about when i set up networks and connections is failover pfsense has a really rich set of features that allow for failover in different scenarios and we can actually use these capabilities to actually provide redundancy to our connection to malvad or or any other vpn provider or even a mix of vpn providers so i'm only going to be demonstrating with movad but in this video i'm also going to show you how to set up multiple tunnels to multiple geographic locations um across molvad's network and actually be able to load balance traffic your local traffic between those different those those different exit locations so that if one exit location goes down you can seamlessly fail over to a backup location or even round robin between them in kind of a you know just a round robin load balancing type setup so that's going to be the kind of the agenda for this video so the first thing we need to do is we need to jump over to your mulvad account now the way that mulvad creates configuration files is they create configuration files um based on a based on a private public key pair so if we wanted to say set up two tunnels one for us four and one for us 177 so that would be chicago for us4 and seattle washington for us 177 we actually need to create two unique key pairs and the reason for that is because movad creates a unique tunnel address for each private key so if you try to if you tried to use the same private key pair for both of your um for both of your locations pf sense is eventually going you're you're eventually going to get to a step where pf sense is like wait a minute you're trying to assign you're trying you're trying to assign the same address to two interfaces that's obviously not going to work so we're going to go ahead and start off by creating two different keys so i clicked on generate key twice so i have two unique private public key pairs and we're going to go ahead and start with this first one here and we're going to go ahead and export the first configuration that we want and i'm just going to again i'm going to go with united states and chicago and u.s dash the us4 wireguard server and we're going to click download file and we're going to just open that up and then i'm going to go ahead and choose seattle washington and we're going to choose 177 and we're going to click again download file i'm going to go ahead and open those up and what you should see actually know what scratch that this is actually a good demonstration of the issue if i open up both of these files you're going to see that the ip address the local address is the same in this case it's 1067 164.81 and that's actually the same so i need to go in and change the the private key that i'm using on one of these so i'm going to go ahead and just close down us 177 we're going to go back to wire movab and i'm going to use the second key and i'm going to then i'm going to go ahead and download the file for us 177 and when i do that and i open up both of these configurations you can see that the ip address is now different so this is so us 177 is is [Music] 10.67.237.243 and for us4 it's 10.67.164.81 so if you if these two you know or three it doesn't really matter and i'm only setting up two in this particular video um but if these two addresses were the same then the problem that you um the step that you skipped was changing the which private key which private public key pair you were using when you were exporting those configurations so um in this case i have two two tunnels two mole exit locations both with their own unique private public key pair and their own unique address so everything should be good there so let's go ahead and jump back over to pf sense and vpn and wireguard now i already have a tunnel here this is my remote access tunnel this is more or less you can sort of equate this with my lan this is the tunnel that i come in on via my you know my laptop and my cell phone for testing and sort of eating my own dog food with the package um so just kind of ignore that but we're going to create two obviously two tunnels uh one for the us4 mulvade exit location and one for the us 177 exit location so we're going to click add tunnel we're going to type in movad us4 and we're going to grab that config for us4 so we're going to grab that private key and we're going to paste that in and you can see that it automatically computed that public key and just as a clarity check if you take this address and you copy it and you should be able to find that public key back over on the molvat website so that's just to clarity check that yes the keys were generated and when you took that private key and you stuck it into the pfsense wireguard package that the public key that it computed was the public key that mulvad was compute was expecting it to be as well so that is just a clarity check that you can do to confirm that so again i just took that public key as computed by pfsense and compared that with the key that was that was computed by molvad and they're the same so other than that that's pretty much all that i have to do because we're going to be routing traffic over these mulvad tunnels i don't need to assign addresses here we're going to actually assign the the interface addresses um in the pf sense ui not in the wireguard ui so we're going to click save and we're going to rinse and repeat for the us4 exit locations so we're gonna go movad us 177 and we're going to go ahead and grab the private key for that particular location and again just to kind of confirm that the public key that that wireguard on pfsense computed is the same as what molvad is computing we can just copy and search for that and there it is so that is the right key and we're going to click save let's go ahead and create our peers so we'll just click on add pier and the first one will be for us4 and we'll just call it mulvad us4 this is not a dynamic endpoint this is a static endpoint and we're going to go ahead and grab that endpoint from the config file and we'll just copy and paste that and i'm going to go ahead and just type in the port specifically we're going to give it a keep alive of 30 seconds doesn't really matter and we're going to grab the public key for us4 and we're going to paste that in and then we're going to allow all ipv4 and we're going to allow all ipv6 and we're going to click on save we're going to also create up here for the 177 movad tunnel so molebad us177 and we're then going to grab the endpoint from the config file which is 198.54.131.82 and the endpoint port is 51820 keep alive of 30. and our public key we're going to grab from the 177 file and we're going to paste that in and we're going to do the same thing we're going to allow all ipv4 and we're going to allow all v ipv6 and click on save and apply now at this point we should have two tunnels and we should be we should be handshaking at this point they don't have addresses but at least the wire guard side of things we should see handshakes going on between us and movad and you can see that that is that currently works so that's a good sign so that means that the crypto is working our keys were right and now we're ready to pass traffic so um let's go ahead and go back to on the tunnels here and let's go ahead and assign these these wire guard tunnels to pf sense interfaces so we'll click on interfaces and assignments and we're going to go ahead and assign ton wg1 and ton wg2 and we'll click save so the first one here is actually assigned to the lan interface on pfsense it doesn't really matter but that's just how it worked for my case and we'll call this mulvat underscore us4 and we'll give it a static ipv4 and a static ipv6 now this is where things get a little confusing because we we do need a gateway because we do need to route traffic we do need to policy base route and send traffic down this tunnel but the address the the interface address that mulvad is giving to us is a slash 32 and a slash 128 so these are host addresses what that means is the gateway is the gateway address is going to be the same address as the local side of the tunnel in this case um for us four it's 10 1 10 67 164 81. now what that means is from the pf cents perspective of the tunnel the gateway is going to always be online now obviously for load balancing a gateway that's always online is useless so we're going to have to tweak d-pinger and the gateway monitoring to actually monitor an ip address that will actually give us useful data useful metrics on latency and packet loss and whatnot but out of the box when you use a gateway address that is the local address that that interface is always going to be up if the wire guard tunnel is up so there's no real way to use that out of the box to make any kind of decision on you know should i send traffic to us4 in chicago or should i send traffic to us 177 in seattle so we're going to tweak that a little bit but we can do it so we're going to go ahead and grab that address for us4 and we're going to paste that in again it's slash 32 host address and for the upstream gateway we're going to go ahead and add a new gateway and we're going to call this movad us4 gateway and just type that in there and click on add for v6 we're going to do the same thing we're going to grab the v6 address and throw that into pf sense and for the upstream v6 gateway we're just going to type in molebad us 177 gw 6 for v6 and click on add and then we're going to click on oh actually one more thing your mileage may vary with this i'm going to go ahead and clamp my mss to 1380 which in pf sense means typing in 1420 into the mss field and i'm also going to set the mtu to 1420 as well this shouldn't strictly be required um but this is you know this is still sort of a point of discussion with wireguard um so i would go ahead and just type in 1420 for both the mtu and the mss just go ahead and do that that sort of you know eliminates any potential fragmentation that you might encounter and it might give you better throughput because now you're not having to deal with you know dealing with the fragmentation so i'm going to go ahead and use 1420 for both the mtu and setting the mss field in pfsense to 1420 which actually clamps at 40 minus that for ipv4 and 60 minus that for um for v6 so anyway so we'll just type in 1420 for both of those and click on save and click apply and we'll let pf sense apply that and i think i remember seeing that i actually had left some old um some old gateway definitions here so i'm going to go ahead and delete those i was creating some gateways that i was testing with earlier okay so we have our gateway for for um oh whoops i actually named i actually named this one i named the v6 address the v6 tunnel the wrong name let me delete that and recreate that go back to us4 and let me recreate this so this should be movad us4 us4 us4 gateway and the address here was this address here right there okay nope and that should be shoot that should be uh the name of that's wrong me gateway six make that very clear there so okay click on save and apply sorry about that all right let me go ahead and clean that up really quick yeah okay so i have a vis a v4 gateway and a v6 gateway for us4 and again these addresses were the addresses that i pulled from that configuration file so let's go ahead and create the second one for us 177 we'll go into opt-1 and say molvad us-177 us-177 we'll give it a static v4 and a static v6 address and again we're just going to grab the the addresses from our configuration files so slash 32 will add a gateway and this is going to be molevad molvad us177 gateway and that's our gateway address oops can't type today gateway add and then we'll do the same thing for v6 and we'll paste that in we'll add a new gateway and we'll say molvad us177 gw6 and paste and click on add and we're also going to set an mtu of 1420 and we're also going to clamp our mss and we'll click on save and apply all right at this point we should have um we should have two we should have well four gateways uh one for both v4 and one for both v6 for both us4 and us-177 now remember when i said that these gateways are going to more or less be useless because they are the local interface these gateways will never go down in a normal situation even if the remote side is not responding these gateways will start will still appear to be online so in order to take advantage of the gateway monitoring and d-pinger we actually need to give these addresses these gateways a remote address that is useful so if you notice all of the all the ping times on the mobad gateways are really low again because these are local these are the local addresses of the local side of the tunnel so in order to make this information useful and so that deepanger can actually make useful decisions in terms of marking these up or down we're going to go ahead and go to routing back to routing and we're going to actually going to create add monitoring ip addresses to these gateways that are useful now you might have you know a list of public endpoints that you like to use for monitoring different different circuits and whatnot i'm just going to stick with in this case i'm just going to use google's public dns endpoints so just to give you an idea of what's going on here again notice that all of these um all of these ping times are really low like less than a second less than half a mil uh less than uh half a millisecond so these are really really low obviously this is just you know hitting a local interface so it should be very very low um but just keep that in mind because when we change when we actually add these monitor addresses these are going to actually be more familiar and look like actual things that you would experience you know over the internet so if we go back to routing and for the us4 ipv4 monitor address we'll just do 8.8.8.8 and we'll click save and then for the v4 for us 177 we'll do 8.8.4.4 and we'll click save and then for the v6 side of things we're going to go with the you know again the the v the v6 um google dns server so and we'll do the same thing for us 177 and this will be eight eight four four and we'll click save and we'll click apply now this is gonna restart dpinger it's going to rebuild those those uh monitors and notice that now we have pings that are that make more sense um you know two milliseconds um 74 65 70 milliseconds um for us 177 so again these numbers make sense so we are actually sending some traffic out these tunnels and d-pinger is now going to respond accordingly so you know if um if if something were to happen either on the remote end and um you know that particular tunnel was to go down um d-pinger would actually have enough information to make a decision you know as to marking that particular title up or down so the next thing we want to do is we want to create a gateway group so we're going to go back to system and routing go to gateway groups we're going to click on add and we're going to call this mulvad lb 4 for v4 and we'll click on the movad us4 gateway and the mobad us 177 gateway and we'll just assign both of those to tier 1 and for the trigger level we'll just do packet loss or high latency and that'll work just fine we'll click save and apply now we need to do the same thing for v6 so we'll just duplicate that and we will actually know what is that going to work i might need to create a new one because we want these to be v6s okay so we'll do tier one for both us4 v6 and us177 v6 and we'll just call this movad lb 6 for load balance v6 and we'll do the same trigger level as packet loss and high latency click save and apply now if we go to status gateways and gateway groups you can see that both of these are online so in theory if we policy route traffic to either lb lb4 or lb6 it should just kind of load balance between the two so let's go back to our firewall rules and we're going to go ahead and create we'll create these policy routes so i remember when i said at the beginning of the video that my remote access um my remote access tunnel here um is what i actually use for coming in on um so it's the 10 115 1 24 and the f5 9a uh dooblydoo one slash 64 networks so that's what i'm actually going to policy route so i'm going to go back to firewall rules under wireguard um i already have two rules one two one for if ipv4 and one for ipv6 and what i'm going to do is i'm just going to create those gateways i'm going to click on edit here and we're going to we're going to send any traffic coming in from my remote access v4 we're going to send that out the v4 movad load balance gateway group and we're going to do the same thing for v6 and click on save and now we are policy routing out uh anything coming coming in from 10 115 0 24 is going to policy route out the v4 mulvad gateway and anything coming in from fd 9a slash 64 is going to leave using the mulvade lb6 gateway group um other than that i've just got pass all rules there and the only thing left to do would be to do the gnat stuff so there's a couple of ways that we could do this you know we could just create um you know four different entries i'm actually going to create another gateway group not the wireguard group but i'm going to create the i'm going to create a group called molvad and this is going to be movad us4 and mobadus177 we're just going to call this movad and we're going to click save and i'm going to use this to sort of apply the nat rules all in all in batch so we're going to go back to firewall nat and go to outbound and we're going to create a new mapping make sure we're on hybrid out brown net we're going to click on add and for the interface i'm going to choose molvad and we're going to do the v4 stuff first so we want to say 10.01.15.0 24. we'll just do interface address click save and then we need to do the same thing for v6 so i'm just going to kind of duplicate that we'll say molvad and we'll say v6 and for the v6 we'll do fd9a and 64. and click save and then click apply and that should in theory be all that we need to do in order to load balance between two different exit locations with molevads so before we test this let's go ahead and take a look at what my current v4 address is so comtastic cool so that works um so let's go ahead and turn on my wire guard tunnel and see if things are working so we'll let this kind of stabilize for a second and then we'll go back to ip chicken and refresh and you can see that we're now um our ip address has changed so we're now writing over one of the one of the movad tunnels now i'm not really sure exactly which one this is but we can do some experimentation let's actually demonstrate the failover so in order to simulate a failover i'm just going to come in here and i'm just going to knock out us177 by just taking that interface offline and we'll click apply and let's refresh and see if that address changes might take a second for d-pinger to respond and mark the gateway is down so yeah so i was coming in on 177 and notice that i just disabled that interface and now my address has changed and now i'm writing over us4 so just as a clarity check let's go back to us4 and we'll disable us4 and click save and click apply and now both of my mobile ad gateways should be should be offline so if we go back to status and gateways gateway groups so again both both us4 and us177 are off and if i refresh i'm not going to get any i'm not going to get any response and we can go back to pf sense and we can go to us 177 and we can enable and we'll click save and apply and that should bring up the 177 gateway and restart depinger and again yep so where that gateway is up and if i refresh ipchicken you can see that now i'm writing over us 177 and i can go back to interfaces us4 enable us4 and click save and apply and now both the us4 and the us-177 exit location should be online so that's pretty much it i thought this was kind of cool this is a way that you can add multiple mulvade exit locations to your pfsense setup so that you're not relying on just one so if one molvad location has a issue you can just easily seamlessly fail over between them so if you enjoyed this video make sure to hit the like button comment below i've got links to everything that you might need in the description below a link to my github page a link to reddit pfsense the netgate forums and and other and other stuff too if you're interested in supporting this project there's also links to paypal and github sponsors and um yeah so if you have comments questions or concerns please feel free to like comment and post below otherwise we'll see in the next video
Info
Channel: Christian McDonald
Views: 22,028
Rating: undefined out of 5
Keywords: pfsense, wireguard, guide, tutorial, mullvad, vpn
Id: wYe7FzZ_0X8
Channel Id: undefined
Length: 28min 32sec (1712 seconds)
Published: Tue Jun 08 2021
Related Videos
How to Install WireGuard on pfSense (Tutorial)
WunderTech
47K
Proxmox pfSense Setup Tutorial (2024)
Sheridan Computers
4.3K
Tutorial: pfsense Wireguard For Remote Access
Lawrence Systems
140K
How To Secure pfsense with Snort: From Tuning Rules To Understanding CPU Performance
Lawrence Systems
41K
How to use Multiple WAN on pfsense for Fail over and or Load Balancing
Lawrence Systems
50K
pfSense Wireguard Site-to-Site VPN Setup (3-Way) Tutorial
Sheridan Computers
4.1K
pfSense Firewall (totally) Rules! Basic rule setup...🤫
The Network Berg
117K
Why I favor Mullvad over other third-party VPNs and how to set things up
Sun Knudsen
73K
From Ciphers to Certificates: Your Comprehensive Guide to Configuring OpenVPN on pfSense
Lawrence Systems
49K
Set up network-wide ad-blocking and tracking protection using pfSense and pfBlocker-NG
Pragmatic IT Solutions by Vikash
4.4K
How to Setup The Tailscale VPN and Routing on pfsense
Lawrence Systems
71K
OPNSense – WireGuard Road Warrior Setup
SYSADMIN102â„¢
2.8K
How to configure VPN on pfSense with WireGuard
NETVN82
24K
How To Setup Tailscale With The Mullvad Privacy VPN
Lawrence Systems
16K
How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy
Lawrence Systems
50K
Gluetun, and oh ya I F*cked up!!!
LoRes DIY
15K
pfSense: WireGuard VPN Returns As A Package
Lawrence Systems
31K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.