pfSense wireguard VPN with Mullvad

Aim #

We have a pfSense box and we want some subnets going out only via VPN so the traffic won't exit our ISP ip address.

We'll configure a wireguard VPN using Mullvad.

We'll also add a killswitch to ensure no unwanted traffic from the subnets goes out via WAN interface.

Configure the VPN #

these guides are perfect:

• https://mullvad.net/en/help/pfsense-with-wireguard
• https://www.alexmoch.com/blog/mullvad-wireguard-vpn-in-pfsense-dual-stack/

please ignore the section "Adding a kill switch" from alexmoch's blog because for me it was not working.

Configure the killswitch #

LAN: our interface we want to route out of the vpn
se1_gw: the vpn gateway

in Firewall --> Rules --> YourSubnet you'll have a rule like this:

Action: pass
Interface: INT
Address Family: ipv4
Protocol: any

Source: LAN subnets

Destination: Any

Log: yes


ADVANCED:

Tag: ExitViaVpn

Gateway: se1_gw (your mullvad gateway name, I'll use mullvad's guide names)

Note the Tag and Gateway options:

Tag: tags our packets so we can filter them using that

Gateway: instructs the rule to use a different gateway than the default one.

Now for the killswitch, we'll head to Firewall --> Rules --> Floating
and add a new rule:

Action: block
Quick: yes
Interface: WAN
Direction: any
Address Family: IPV4
Protocol: any

Source: any
Destination: any

Log: yes

ADVANCED:

Tagged: ExitViaVpn

This rule allows us to block all the traffic from the "VPN subnet" that tries to use the WAN interface, thus exiting not via the VPN.

This is needed because when the VPN fails, and this also happened with openVPN, the "Gateway" option in the firewall rule gets ignored and the traffic goes out via the default gateway.

• Previous: HP Z440 Workstation Upgrade and Improvements