VPN Part 2 - Interface and Gateway
This is Part 2 of the VPN configuration. If part 1 (Instance/Peer) configuration isn’t complete, this will cause problems.
In terms of networking, at this time, the VPN Instance/Peer acts as the network cable.
Now we need to add the network card (Interface), and give it an IP address so we can talk to it (Gateway)
This section will create:
- Create an Interface for the VPN
- Add Gateway(s) to the Interface to allow traffic routing
Before Starting - Working out your Gateway IPs
To configure the Gateways, they will need to be configured with an IP address each. These are not in the Wireguard configuration file, but are calculated from “Interface.Address” line in there.
Your config may not contain an IPv6 address
For each IP type, there’s a different method:
Calculating Gateway Examples
Given the Interfaces.Address line of:
Address = 330.100.200.47/32,ff00:ffff:ffff:bb01::1:11aa/128
IPv4 Gateway
IPv4 is before the comma in address (throw away the /32) - e.g. 330.100.200.47
To calculate the gateway, just subtract 1 from the last number, e.g:
The IPv4 address (330.100.200.47) gives:
IPv4 Example Gateway - 330.100.200.46
IPv6 Gateway
IPv6 addresses are long and can look a little odd for those used to IPv4. It’s worth noting here that the only value that will change during this is the last column, before the slash (e.g. a to b)
IPv6 can be a little more complicated, but:
- Take the full address, including the /128 (e.g.ff00:ffff:ffff:bb01::1:11aa/128)
- Change /128 to /127
- Use a tool to calculate the two IPs in the subnet. E.g. Subnetting Practice.com gives an output like this, we need the two IP’s in “Range”:
| Range | ff00:ffff:ffff:bb01:0:0:1:11aa | This is the IP you supplied |
|---|---|---|
| ff00:ffff:ffff:bb01:0:0:1:11ab |
This is your IPv6 Gateway IP |
Note : As you can see, the format has changed slightly (extra 0’s), that’s not a problem Note: The IPs may be the other way around, with “Your IP” on the bottom, that’s not a problem, but “Your IP” will always be the IP you supplied, and the other your IPv6 Gateway.
IPv6 Example Gateway: ff00:ffff:ffff:bb01:0:0:1:11ab
Now, to actually configuring something:
Create the Interface
The Interface acts as a virtual network card, connected to the Wireguard Peer
- Navigate to Interfaces -> Assignments
- In the Assign a new Interface section ensure the wg_mullvad_instance is selected
- Enter a Description e.g. - WG_MULLVAD
- Click Add
- [WG_MULLVAD] should appear in the left hand menu
- Select the [WG_MULLVAD] interface
- Tick Enable Interface
- Click Save
- At the top of the screen a message will appear, click Apply Changes
Creating the IP Gateway(s)
Next, our Gateway IPs will be configured on the new Interface:
- Navigate to Interfaces -> Gateway
- Click + to add a new Gateway
- Fill in the form as follows:
| Field | Value | Notes |
|---|---|---|
| Name | MULL_IPV4_GW | Anything you prefer, but will be needed later |
| Interface | WG_MULLVAD | |
| Address | Your calculated IPv4 Gateway | |
| Far Gateway | Enabled | |
| Disable Monitoring | Unchecked | |
| Monitoring IP | 4.2.2.2 | Any IP on the internet to test with, suggest 4.2.2.2 |
| Description | Mullvad IPv4 Gateway | Any description you like |
| 4. Click Save | ||
| 5. If you have an IPv6 in your config file, repeat the process to add another gateway, but this time: (Skip this step if there is no IPv6 in your config file) |
| Field | Value | Notes |
|---|---|---|
| Name | MULL_IPV6_GW | Same as above, but with IPv6 |
| Interface | WG_MULLVAD | |
| Address Family | IPv6 | |
| Address | Your calculated IPv6 Gateway | |
| Far Gateway | Disabled | |
| Disable Monitoring | Unchecked | |
| Monitor IP | 2001:4860:4860::8888 | Any IPv6 Address, example is Google DNS |
| Description | Mullvad IPv6 Gateway | Any description you like |
| 6. Click Apply at the bottom of the screen | ||
| 7. Wait at the Overview screen for about about 15-30 seconds to start monitoring | ||
| 8. Click Refresh | ||
| 9. You should see both new Gateways with a green Status, and a time in ms in the “RTT” column |
If the Status is fine, this section is complete. The VPN is connected and now has a way to send traffic over it.
The final part is to configure which traffic to send over the VPN, which takes place in part 3