WG with 23.05 and ProtonVPN

Onecut

After updating a Netgate minnow from 23.01 > 23.05 I decided to try Wireguard with ProtonVPN. So I 'Factory Defaulted' the minnow, installed WG pkg and followed the "WireGuard VPN Client Configuration Example" Documentation.

Here's the ProtonVPN detail for a Router"

[Interface]
# Key for bmrr
# Bouncing = 1
# NetShield = 1
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = <snip>
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# US-VA#39
PublicKey = <snip>
AllowedIPs = 0.0.0.0/0
Endpoint = 154.47.22.65:51820

First snag occurred with 'Confirm Handshakes' step, There was no 'Show Peers' button. Moving on I changed the default gateway to "WAN_DHCP" then noted there was no "tun_wg<number>" in available ports, just igb0 and igb1.

I will try again from Factory Default but seek comment on where I am going wrong.

Thanks,

Onecut

DaddyGo

@Onecut said in WG with 23.05 and ProtonVPN:

I decided to try Wireguard with ProtonVPN.

Hi,

Experimentally, I tested several VPNs with WG on pfS, I note they did not perform as expected....

These WG connections are not so easy to set up that you just type in the connection details, even though that's what the WG was supposed to do, but each provider uses the parameters a little differently.

I've tried these and they definitely work(s), but I installed them all on Ubuntu first and extracted the important connection information:

What's more, you can mix instructions from several providers to get a working connection

None that I have encountered so far have been clear......
like:
https://mullvad.net/en/help/pfsense-with-wireguard/
https://www.ivpn.net/setup/router/pfsense-wireguard/
and / or

https://www.comparitech.com/blog/vpn-privacy/pfsense-wireguard-setup/

and etc.

Onecut

@DaddyGo , My reference to WG Doc refers to Netgate WG recipes. Specifically, WG VPN Client: link text.

Anyway, the above link is specific as to what bits are needed from the VPN provider but I see there are other WG docs from Netgate as well. I have more reading to do.

Beg pardon for my generic reference to WG Docs.

Thanks for sharing,

Onecut

Bob.Dig

@DaddyGo said in WG with 23.05 and ProtonVPN:

https://mullvad.net/en/help/pfsense-with-wireguard/

Holy moly, that reads complicated. Also it looks like the gateway ip is the same for every tunnel? I thought mullvad would be the gold standard for pfsense wg vpn...

DaddyGo

@Onecut said in WG with 23.05 and ProtonVPN:

My reference to WG Doc refers to Netgate WG recipes

Yuppp, this is just an indication of how a standard mode configuration would work.

In case your provider differs from this, or for example SurfShark NORD :) doesn't give you a router installation description (because it only provides WG through its app), you have to figure it out yourself and you need Linux to do it - in my case I extracted the parameters from the Ubuntu terminal (CLI)

I repeat myself, the Netgate document is not the guideline here, your provider is always the guideline, nevertheless the first thing you should read is the Netgate Doc to understand the principles of how WG works

BTW:
if you really can't do it, I can help you, as soon as I have some time, I'll have access to at least 5-6 VPNs, we'll figure out how to do it on pfS....

I also have Proton access here in Eu

DaddyGo

@Bob-Dig said in WG with 23.05 and ProtonVPN:

mullvad would be the gold standard for pfsense wg vpn

Yes, because "Christian McD." always tests with it, but as you say it's the most complicated one to use (only the background, not the setting), although once you get going you'll find out why it's configured that way, but here in the EU it doesn't give you the speed you'd expect, the OpenVPN version is sometimes faster

PS:

I will say that the simple WG for Windows,... 10x is faster than the router versions, so I'm sticking with OpenVPN for now, with fast CPU cores or IPsec for StoS.

What I will be curious about is this " OVPN Data Channel Offload (DCO)"

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

this one was very close, :):
https://www.netgate.com/blog/openvpn-at-netdev-0x16-in-lisbon-portugal

PS: @Onecut
a PROTON connection currently under windows can do this here........:

Bob.Dig

@DaddyGo said in WG with 23.05 and ProtonVPN:

for example SurfShark doesn't give you a router installation description (because it only provides WG through its app),

That is nord. SS does provide the configs.

Bob.Dig

@DaddyGo said in WG with 23.05 and ProtonVPN:

I will say that the simple WG for Windows,... 10x is faster than the router versions, so I'm sticking with OpenVPN for now, with fast CPU cores or IPsec for StoS.

No problem here, although I am using some OpenWrt-VMs as WG-Clients to circumvent the "all the same gateway" problem.

DaddyGo

@Bob-Dig said in WG with 23.05 and ProtonVPN:

SS does provide the configs.

I tested these quite a while ago and then there was no configuration of SS specifically for routers, but I'll have a quick look at my account.

BTW:
I don't use SS much anymore, they have such serious administrators who think that the defense is to ban and not to look for a solution. That's why they disabled port 587 on SS network , I can be an administrator by keeping spammers out by disabling the standard port, but then no mail, hahahahahah

DaddyGo

@Bob-Dig said in WG with 23.05 and ProtonVPN:

OpenWrt-VMs as WG-Clients to circumvent

and that's the point, .. that's exactly what I'm doing on another our network, somehow OWrt does it better

• only not on VM, but on 4 core miniPCs -

Onecut

I get the picture now wrt WG configs with this or that VPN provider. ProtonVPN has their WG configs but no pfsense setup docs. I haven't used Windows in years and as a 'Linux for Dummies' kind of user I sometimes have a clue.

Being a Netgate Minnow w/ 2C Intel Atom (AES-NI) I get about 12MBs (Mega Bytes) sustained but that pushes CPU usage into 50-60% range. That's with OpenVPN, WG may not be feasible.

This newish Pfsense/WG howto peeks my interest: link text

We'll see.

Thanks,

Onecut