Will IPFire include more information / set-up directions when we have the next update? I am currently on the testing 195 update; but cannot seem to make wireguard work on the firewall. I would not be surprised if it is a routing issue. Nevertheless, there is some sort of configuration issue(s) that I am missing, so my hope is better WUI info.
If anyone has wireguard working (especially with ProtonVPN), I would love to chat.
If I may ask… with just one wireguard connection, should two interfaces get created - named wg0 and wg1 (with the wg1 interface having the 10.2.0.2 IP address)?
Sorry for what are probably silly questions, but my mind is not as it once was (injury/medical issues).
If you have only got one connection defined and enabled on the WireGuard WUI page then there should only be on wg interface as far as I am aware.
On one of my systems with only a single WireGuard RW defined then I only have wg0
On another system I have one RW and one N2N connection defined.
On that system I have wg0 and wg2.
I think that is because I used to have another connection defined and then later deleted it.
If I disable the N2N connection on the WireGuard WUI screen then only the wg0 interface remains and vice versa.
All of my experience is with WireGuard clients connecting via RW or N2N WireGuard connections with both ends being IPFire.
I don’t have any experience at all using VPN services.
The wg0 interface is used for Roadwarrior configs. Any additional connections you have will use wg1, wg2 etc, in the order they are created.
There was also another patch added for WireGuard yesterday which should fix the issues of adding a ProtonVPN conf file. I think this should go into testing before CU195 is released.
You’re best off manually adding Proton’s DNS servers in the machine/s you want to go through the VPN tunnel. That way as soon as the tunnel is up it uses Proton’s DNS servers.
I want to thank everyone for the suggestions and information. It did help. Now, I have an issue where the green0 network has access to the Internet via the VPN, but I cannot seem to do anything to get the blue0 network devices to utilize the VPN - instead, they just lose contact with the Internet in general. I feel that there must be a routing/firewall rule/interaction/etc causing the problem.
As a datapoint for others:
My firewall is a router-style mini pc with six Intel 226 NICs, an Intel N-305 process, and 16 gigabytes of RAM. Running a speedtest (from a Fedora 42 PC on the green0 net) to Comcast (Chicago) that goes through the ProtonVPN to one of their (Proton) node’s in Chicago, I get right at 690Mbits - which is in line with my 600Mbit plan. So, I am getting my full bandwidth with wireguard. And if memory servers, around 20% cpu utilization.
Please can you share more information about your setup? Things like firewall rules, the routing (local and remote subnets) you have setup in the WireGuard peer and other general information about your setup.
Adam, I use the red, green, and blue networks. The red0 is attached to my Comcast cable modem which is in bridge mode (has been since day one, and just verified again by me). The blue0 network is attached to an older Asus RT-AC5300 wifi router set in AP mode - running 2.4GHz and one of the 5GHz radios for several phones, tablets, rokus, and the like. Finally, the green0 network is attached to a Netgear MS510TXUP switch - with only two PCs connected. The green0 network is at 192.168.64.0/24, and the blue0 network is utilizing the 192.168.128.0/24 address space.
As far as rules are concerned… I used to block all Outgoing Firewall Access, but it became too much of a pain, so I everntually set it to the recommended Allow policy - no extra rules. The Incoming Firewall Acces has always been set to the Blocked policy. And the Firewall Rules are: green > internet (allowed), blue (allowed); blue > internet (allowed), green (blocked); Policy: Allowed. Also, I have set the blue network to not filter by MAC addresses.
I hope this helps. Please let me know if any additional information is needed. Any and all help is appreciated.
Well, that appears to work. I had originally tried something similar, but was probably blocked by other issues. I guess that I am misunderstanding a mechanic here, but why can the green network access the vpn without a similar rule?
Regarding the Proton VPN configuration item mentions, which Wireguard configuration is that - there are several, including one for Linux and another for Router. Which configuration file? I sampled the Linux and the Green connection started but there was no connection to the internet. Then it automatically Disconnected and has not connected since. It is a new core 195 and there are as of yet no Firewall Rules.
I utilized the “Router” configuration generated file from Proton.
However, I went ahead and updated to the new Stable code base (195), and I am back to a non-working condition. I am going to try to re-base back on the testing branch mentioned above (that did work for me).
I suspected as much - which is why I have not tried it yet. However, I did remove all three VPN configurations that I had (2 secure core and 1 US server closest to me). I had saved the config files so I recreated the three tunnels, but had no joy. Tunnels never shows the “Connected” green message - and no routing whatsoever (even from the ipfire box itsself).