no wireguard handshake with mullvad?

lostnetworker

Hello peoples

I'm struggling to get a wireguard handshake with mullvad. I have followed the documentation from mullvad, https://mullvad.net/en/help/pfsense-with-wireguard and Christians YT video (https://m.youtube.com/watch?v=wYe7FzZ_0X8) but can't see handshake.

My private key is correct in the tunnel, it resolves to the public key listed in mullvad.net/end/account/wireguard-config

My peer has the correct public wireguard key from the config I downloaded from mullvad. Endpoint IP is correct.

stephenw10

Do you see states open to the remote IP? Do you see two way traffic on those states?

lostnetworker

@stephenw10 Bit baffled on what you're asking for mate, I'm lost in this networking world.

Heres a screenshot of my tunnel and peer using the supplied details from Mullvad

These are my steps:

1. Generate Wireguard .txt config on Mullvad site
2. Make Wireguard tunnel > plug my private key, interface IP key and port 51820 in
3. Assign tunnel to peer > plug public key, endpoint IP and 51820 port in

stephenw10

I mean go to Diag > States. Filter by the remote endpoint IP. You should see at least one open state to it and it should show packets both ways.

nimrod

@lostnetworker

I had same situation. I setup a wg tunnel with mullvad, and there is no handshake until you actually start requesting traffic via that tunnel. As soon as the traffic starts to flow, i can see the handshake.

Is this what you are trying to say @stephenw10 ?

stephenw10

When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

If there's no state at all then there some problem locally preventing it trying to connect.

If there is no reply traffic on the state then the server isn't responding so probably some config issue.

Bob.Dig

@stephenw10 said in no wireguard handshake with mullvad?:

When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

I don't think so. If you don't have a gateway setup in pfSense with its monitoring, there is nothing using this tunnel and with that no handshake. That is why I prefer to set keep alive for new WG-Tunnels in general, at least in the beginning, to see if everything went well.

nimrod

This post is deleted!

nimrod

@Bob-Dig said in no wireguard handshake with mullvad?:

@stephenw10 said in no wireguard handshake with mullvad?:

When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

I don't think so. If you don't have a gateway setup in pfSense with its monitoring, there is nothing using this tunnel and with that no handshake. That is why I prefer to set keep alive for new WG-Tunnels in general, at least in the beginning, to see if everything went well.

This makes sense.

lostnetworker

@stephenw10 @nimrod

Thanks for the advice guys. I have been so busy but managed to get free to look into this. I nuked my pFsense and this time I set a keep alive 25 seconds on the peer, now I get handshakes.

I followed every step in the Mullvad guide, looks like I've got a Mullvad IP assigned and no DNS leaks so I guess it worked.

Only issue I noticed is that if I reboot my Protectli, there is still a handshake between the peer and tunnel but I can't get internet access. I had to nuke my install again and follow the guide again for Mullvad wireguard to work.