Greetings All,
Will IPFire include more information / set-up directions when we have the next update? I am currently on the testing 195 update; but cannot seem to make wireguard work on the firewall. I would not be surprised if it is a routing issue. Nevertheless, there is some sort of configuration issue(s) that I am missing, so my hope is better WUI info.
If anyone has wireguard working (especially with ProtonVPN), I would love to chat.
Probably ProtonVPN customer service would be the best place for find resources.
If I may ask… with just one wireguard connection, should two interfaces get created - named wg0 and wg1 (with the wg1 interface having the 10.2.0.2 IP address)?
Sorry for what are probably silly questions, but my mind is not as it once was (injury/medical issues).
If you have only got one connection defined and enabled on the WireGuard WUI page then there should only be on wg interface as far as I am aware.
On one of my systems with only a single WireGuard RW defined then I only have wg0
On another system I have one RW and one N2N connection defined.
On that system I have wg0 and wg2.
I think that is because I used to have another connection defined and then later deleted it.
If I disable the N2N connection on the WireGuard WUI screen then only the wg0 interface remains and vice versa.
All of my experience is with WireGuard clients connecting via RW or N2N WireGuard connections with both ends being IPFire.
I don’t have any experience at all using VPN services.
Hi William.
The wg0 interface is used for Roadwarrior configs. Any additional connections you have will use wg1, wg2 etc, in the order they are created.
There was also another patch added for WireGuard yesterday which should fix the issues of adding a ProtonVPN conf file. I think this should go into testing before CU195 is released.
Thanks,
A G
Thank you, both of you, for the information - which is bound to help me resolve my issue(s). I appreciate it.
@ag
I did tests on a virtual machine.
After your post, I upgraded IPFire to
Core-Update 195 Development Build: master/baa22ec7
After importing the Protonvpn configuration file, the status connected appeared 
There were connection problems with the earlier version of the CU195.
Regards
Interesting, I will try to get it. I am currently on CU 195 Development Build: master/1e50e6e7.
It works for me too. I just need to figure out where to put the dns info - does not seem to work, even though the ProtonVPN config file has it.
You’re best off manually adding Proton’s DNS servers in the machine/s you want to go through the VPN tunnel. That way as soon as the tunnel is up it uses Proton’s DNS servers.
Thanks,
A G
Thank you Adam.
I want to thank everyone for the suggestions and information. It did help. Now, I have an issue where the green0 network has access to the Internet via the VPN, but I cannot seem to do anything to get the blue0 network devices to utilize the VPN - instead, they just lose contact with the Internet in general. I feel that there must be a routing/firewall rule/interaction/etc causing the problem.
As a datapoint for others:
My firewall is a router-style mini pc with six Intel 226 NICs, an Intel N-305 process, and 16 gigabytes of RAM. Running a speedtest (from a Fedora 42 PC on the green0 net) to Comcast (Chicago) that goes through the ProtonVPN to one of their (Proton) node’s in Chicago, I get right at 690Mbits - which is in line with my 600Mbit plan. So, I am getting my full bandwidth with wireguard. And if memory servers, around 20% cpu utilization.
Cheers,
Scott
Hi
Please can you share more information about your setup? Things like firewall rules, the routing (local and remote subnets) you have setup in the WireGuard peer and other general information about your setup.
Thanks,
A G
Adam, I use the red, green, and blue networks. The red0 is attached to my Comcast cable modem which is in bridge mode (has been since day one, and just verified again by me). The blue0 network is attached to an older Asus RT-AC5300 wifi router set in AP mode - running 2.4GHz and one of the 5GHz radios for several phones, tablets, rokus, and the like. Finally, the green0 network is attached to a Netgear MS510TXUP switch - with only two PCs connected. The green0 network is at 192.168.64.0/24, and the blue0 network is utilizing the 192.168.128.0/24 address space.
As far as rules are concerned… I used to block all Outgoing Firewall Access, but it became too much of a pain, so I everntually set it to the recommended Allow policy - no extra rules. The Incoming Firewall Acces has always been set to the Blocked policy. And the Firewall Rules are: green > internet (allowed), blue (allowed); blue > internet (allowed), green (blocked); Policy: Allowed. Also, I have set the blue network to not filter by MAC addresses.
I hope this helps. Please let me know if any additional information is needed. Any and all help is appreciated.
I did some simple tests.
On a test virtual machine, I created the address of the above GREEN, BLUE networks.
I added a GREEN and BLUE subnets to the Wireguard configuration.
Without activating the Wireguard connection, I did some pings.
After activating the Wireguard connection, I did some pings.
I added a rule to the firewall analogous to “Creating a Blue to Green Pinhole”
Maybe this is a little hint
Well, that appears to work. I had originally tried something similar, but was probably blocked by other issues. I guess that I am misunderstanding a mechanic here, but why can the green network access the vpn without a similar rule?
Also, thank you for your help.
Regarding the Proton VPN configuration item mentions, which Wireguard configuration is that - there are several, including one for Linux and another for Router. Which configuration file? I sampled the Linux and the Green connection started but there was no connection to the internet. Then it automatically Disconnected and has not connected since. It is a new core 195 and there are as of yet no Firewall Rules.
Ken,
I utilized the “Router” configuration generated file from Proton.
However, I went ahead and updated to the new Stable code base (195), and I am back to a non-working condition. I am going to try to re-base back on the testing branch mentioned above (that did work for me).
You can simply select testing from the Pakfire menu but at this point the software is exactly the same.
Hello Michael,
I suspected as much - which is why I have not tried it yet. However, I did remove all three VPN configurations that I had (2 secure core and 1 US server closest to me). I had saved the config files so I recreated the three tunnels, but had no joy. Tunnels never shows the “Connected” green message - and no routing whatsoever (even from the ipfire box itsself).
