Mullvad is paid, so for testing I would suggest using Protonvpn.
Protonvpn has been pretested
-configuration files imported without errors
-connection between IPFire and Protonvpn works.
For testing, the free plan is sufficient.
Sorry I havenāt been feeling well lately. Iāve been feeling burned out and overwhelmed from trying to get Wireguard to work (spent over a week of constant stress trying to get it to work.) when I couldāve went with the more standard easier trivial options such as Tailscale as most of the Wireguard configuration on routers (such as OpenWRT, OPNSense, even IPFire that I am using currently, etcā¦) seems to be more of for network enthusiasts that have the ability, money, time, resources and the means to expose a port when I clearly donāt have that capability at home. (Still 17 in high school.)
Not to mention I tried reinstalling IPFire and doing all the steps all over again but I could never get it to work. It seems that it keeps resulting in the same looping error message again and again. I will have to turn to using Tailscale as most of the Wireguard configurations of configuring on IPFire seems to be riddled with unexplainable errors. Maybe in the future IPFire will get better and finally address this issue. But for now, this issue will still currently remain unresolved* till this day.
(Sorry I need to take a break, itās really starting to have a huge toll on my mental health.)
During the break you could review the following information. 
Regards
Just to be clear, there are many users on here who are not having issues. Iāve been using IPFire for close to 15 years and it has been the easiest open source firewall Iāve worked with. Wireguard works for many on here, as well as myself. Iāve only used it in āroadwarriorā mode but it was pretty painless to set up and get working. I wish you the best and I hope your break will yield fruit moving forward.
I have been trying a similar case like yours, that is, to set up a wireguard tunnel to a another wireguard peer and route all Blue and/or Green traffic via the tunnel.
Ipfire uses a Dual Mode System:
-
Host-to-Net for client VPN connections
- this is your normal Roadwarrior setup, ipfire acting like your VPN provider, issuing wg configuration files for clients to remotely connect to your local network
- Here you expect the
[Interface]to contain values forLocalAddressandDNS
-
Net-to-Net for site-to-site connections
- this is about enabling point to point traffic (neither is a client, joined up networks) hence the wg configuration file produced by ipfire is for setting up the other endpoint.
- Here the
[interface]has only theprivate keyfor the other end-point (since ipfires has its public key). There is no need here forLocalAddressorDNS
So using a wg config created for Host-to-Net (this is what your VPN provider or VPN Server produces), on a Net-to-Net configuration will result in what you are experiencing, wireguard connection not getting activated or nothing routed through.
To activate a Net-to-Net connection from a RW-like config you have to
- under console, open
/var/ipfire/wireguard/peer, find the line that hasnettype, and append at the end theLocalAddressi.e....,25,10.5.0.2/32- when RW config is imported it seems that the
LocalAddressis not persisted hence needs to be added manually (@ms is this an issue or expected behaviour ?)
- when RW config is imported it seems that the
This will result in
- wireguard peer connection gets activated
wg{id}gets assigned your designated VPN client IP- Masquerading is setup over
wg{id}(WGNAT) - routes & rules are setup
DANGER any unsolicited packet on wg{id}is allowed from0.0.0.0/0ālocal routes(via WGBLOCK, WGINPUT)
At this point from the ipfire console you can do the below which shows the tunnel is up and running
# ip addr show | grep wg
54: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
57: wg3: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.5.0.2/32 scope global wg3
# curl --interface wg3 https://ipinfo.io/ip
156.167.93.133
However, at this point green0 and blue0 traffic are not forwarded
Need to investigate further both green and blue traffic everything gets dropped.
PS: This is what the wireguard init.d script performs which could be replicated for setting up the VPN tunnel
For road warrior interface (wg0):
Sets private key and listen port from global settings
Adds client pool to routing table
For each enabled host-type peer, adds a [Peer] section with public key, preshared key (if set), and allowed IPs
For network-to-network interfaces (wg{id}):
Sets interface alias to connection name
Assigns local IP address if specified
Configures NAT with iptables
Creates [Interface] section with private key and listen port
Creates [Peer] section with public key, endpoint, allowed IPs, and keepalive settings
Sets up routing for remote subnets
Adds firewall rules to allow traffic between local and remote subnets
I have spent some time looking into this and concluded that
- It is unsafe to meddle with Roadwarrior-type profiles on Net-2-Net configuration as this can open your network to unsolicited internet traffic.
- Selectively tunneling a local subnet over VPN is a use case in itself, and is not supported by the current IPFire WireGuard design
To summarise the goal, we are looking for a way to have
- Traffic from the Blue Zone (192.168.2.0/24) exit to the internet via the VPN tunnel.
- Traffic from the Green Zone (192.168.1.0/24) and the firewall itself use the primary WAN connection.
- Local services on the firewall (DNS, DHCP) must remain accessible to all internal clients.
Therefore a solution should
- Read the VPN providerās Wireguard config file
- Set up the
wginterface and gets the tunnel activated - Set up the routing and routing policies,
- in my case
blue0āwgāVPN serverāinet
- in my case
- Set up the NAT & Forward policies, while preserving the security of ipfire
I have put a more detail explanation on why net-2-net wonāt work along with the script that can get your subnet tunneled over VPN to
- your Wireguard Server
- your VPN service provider
The solution aims to remain within the bounds of ipfireās current design/architecture, therefore it can be adjusted so we can take advantage of ipfireās Firewall WebUI to create rules for toggling VPN tunnelling on/off across a subnet of our preference.