Thankyou for the insight. I have started looking at headscale and there seems to be chatter about implementing a mullvad exit node which seems promising. Ill spin up a vps tomorrow and explore options. I also want to run it on my own hardware (its a use what i have on hand situation).

Thats ok, thanks for the idea and sharing your project! Glad to hear this post was the push that convinced you to share it with the wider world its a cool project :)

I will tomorrow :) originally i was thinking about it then i got all caught up with wg-easy. Its looked promising when i first looked but it had one or two cavietes that made me decide against it. Will definantly revisit thanks for the suggestion!

Its via gui but its basically just server side allow list so the client cant modify the ips it can access. The ips i use for https internet are 0.0.0.0/0:443 for example

Yes! Thats the issue im having. I can make wireguard clients connect to mullvad and work but once i try to split tunnel through the post up down hooks i get stuck. Glad im not alone there. The conversations here i wonder if there is an issue with (if your using gluetun) iptables and the wireguard easy nftables. But yes so glad im not alone here with the weird fuckery :-) ill be honest im prob going to try a spin up headscale. Looking online it seems like its the most mature answer and the roads well worn. Just feel its might burn more resources than this would.

Quick question (love your solution btw so eloquent could follow along easily which was such a nice change from the week i have had) does your solution manage multiple clients with different firewall requirements? Why i was heading down the wireguard ui route was the ease of firewall configuration per client. Its a weird thing where i feel headscale is a little bit more than i need and wireguard vanilla is a little too simplistic. I know nothing about ansible other than what i quickly read up on now.

Im very much aware of the cves out on tplink and the one you showed i patched months ago and hardened to recommendation to the rest. Nothings perfect but when you look at security flaws beyween cisco ubiquity and tplink ill go for tp link even tho they are missing some useful features. Im not corperate fan girl but how dead set some ubiquity users are it makes me a bit weary. If i was doing it all again and not buying on a budget id setup my own pfsense.

Without knowing my infrastructure your making some really impreasive assumptions buddy. If this is your day job i recommend a career change

Thank you so much! I shall head over and have a look :D

Ahh good so im not just me its actually a bit of a headache. The more i talk to folk the more i feel headscales orobably going to be the way. And rely on folk smarter than i to implement the nftables. Atm im kinda doing a hamfisted approach as the two programs i am using 1 uses nftables and thebother iptables so im already making it hard for myself. Thanks so much this is the kind of clarity i was seeking.

Thats probably where im having the issue then thanks for the heads up.

Yeah only if you enable their cloud api and dont randomise your web interface port. Both of which i do. I have also pen tested my router remotley. Also i have a router not a router wifi combo. Its not an isp or consumer router. Router splits to poe switcher and a wifi ap puck.

Here is the compose and post up im working on

services:
  gluetun:
    image: qmcgaw/gluetun:v3
    hostname: gluetun
    restart: always
    networks:
      wg:
        ipv4_address: 192.168.1.10    
    ports:
      - 51720:51720/udp # wireguard ui
      - 51821:51821 # wireguard tunnel
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
      - VPN_TYPE=${VPN_TYPE}
      - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SERVER_CITIES=${SERVER_CITIES}
      - ALLOWED_IPS=0.0.0.0/1
      - FIREWALL_OUTBOUND_SUBNETS=${OUTBOUND_SUBNET}  #change to appropriate subnet
      - DNS_ADDRESS=${DNS}
#      - HEALTH_TARGET_ADDRESS=cloudflare.com:80
#      - HEALTH_VPN_DURATION_INITIAL=120s

  wg-easy:
    environment:
      - INSECURE=true #INITIAL SETUP NOT FOR PRODUCTION
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped
    networks:
      wg:
        ipv4_address: 192.168.1.20 
    
    volumes:
      - ./data:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - 51720:51720/udp #wireguard
      - 51821:51821/tcp #web ui
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  vpn:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 192.168.1.0/24 #container ipgateway
#        - subnet: fdcc:ad94:bacf:61a3::/64

Post up

# Detect the VPN bridge interface by wg-easy's container IP
VPN=$(ip -o -4 addr show | awk '$4 ~ /^192.168.1.20\// {print $2; exit}'); test -n "$VPN";
iptables -P FORWARD DROP;
ip6tables -P FORWARD DROP;
iptables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;
ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT;

# Direct subnets:
ip route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;
ip -6 route -A 10.1.0.0/16 via 192.168.1.0/24 dev $VPN table 200;

Well. That changes everything :D i shall look more seriously into this then. Would still love anythoughts on iptable routing tho >.<

It definantly isnt a default isp router. And openwrt doesnt support the chip i have in my router as its a tplink enterprise router. I emailed them and they said they will look into implementing it into their omada ecosystem. Unifi dont really excite me anyway they have one hell of a cve and have to answer to the signal directive. Every issue with tp link has been. You need to have acces to the router physically to implement.

Im picking up what your putting down tho. Be so much easier if i could have a vpn service on a dedicated vlan then just link through with some wg configs but annoyingly my router puts wireguard ontop of the entire topography and messes up everything else.

My router doesnt allow that.

I did consider it. But then im still using tailscale ecosystem which as much as i want to they are still an american company.