2.4GHz through Wireguard, 5GHz direct

Hi,

I've spent the last few evenings setting up my router (Netgear R7800) with OpenWRT and connected it to a Wireguard server (Mullvad). Everything is working great!

However, I'm stuck on my next step: I want to have one network (the 2.4GHz one, "wlan1") to always route through the Wireguard server, and the other network (the 5GHz one, "wlan0") to go straight through WAN. I can't seem to get it to work though. Here are the things I tried:

  • I tried to create a different firewall zone for wlan1 (Advanced Settings > Covered devices) that routes to WAN, and limit the other "lan" zone routing through the wireguard zone to wlan0. The result is that both networks have a masked IPv4 address but still the original IPv6 address, can't see any effect of the added firewall zone.

  • I tried to set up two devices, one for wlan0 and one for wlan1. wlan1 still connects successfully through Wireguard, but wlan0 has just no internet.

  • I tried to use vpn-policy-routing: I disabled "Route allowed IPs" in the wireguard interface and set up two policies, one to route everything from device wlan1 to the wireguard interface, and everything from device wlan0 to WAN. wlan1 works just fine (through wireguard), but wlan0 ends up with no internet

  • In addition to the previous step I also edited the firewall (because I guessed that no internet for wlan0 might be because of a firewall issue), and I allowed the lan zone to not only forward to the wireguard zone but also to wan. This is the most success I had so far: wlan0 goes directly through WAN, and for wlan1 I now have a wireguard IPv4 address - but still my normal IPv6 address. Close to what I want but not yet completely there.

I'm sure I'm missing something somewhere... Anybody any idea what to do/try? Am happy to post any configs, just let me know.

Make a separate network for VPN users. This needs a different IP range than the LAN, its own DHCP server. Generally this would be a bridge so you can include wired and wifi users. Attach the 2.4 AP to this network.

Then you would have two new firewall zones, one with the vpn user network, and one that holds the VPN tunnel interface. Masquerade should be turned on on the vpn tunnel zone. Then set forwarding from vpnuser to vpntun.

This is a lot like a guest network. The router also operates ordinarily with the LAN continuing to forward directly to wan. Do not let the vpn push routes to your router as it normally would to take over the Internet service for everyone.

@mk24, Thanks a million for your reply, much appreciated!

The comment about it being very similar to a guest network helped. I don't have it working yet, but I believe I'm a step further along:
I now have both networks successfully separated, and am able to pass the 5GHz network directly to WAN. However, I'm still stuck getting the 2.4GHz network to talk to the Wireguard connection (which seems to be set up properly, I get a handshake and everything): The 2.4GHz network is connected to its own interface with its own IP range and everything. I created two new firewall zone, one for the wireguard tunnel and one for the wifi interface. I set one to forward to the other - but I get nothing, I'm not able to access the internet.

The wiki has a quite nice guide for setting up a guest network. It's a little outdated but it's easy enough to figure out what has changed. The last two steps in that guide are setting up firewall traffic rules for dns and dhcp for the guest wifi. I'm not sure I'd need them for my setup, but I did try to set up what the guide said to see if that helps, but unfortunately it did not, still no vpn'ed internet access (or any internet access at all for that matter).

If I change the firewall settings so that the 2.4GHz network also forwards to WAN instead of the wireguard tunnel then I am able to access the internet. So the culprit must be some firewall setting, I guess.

Here are some of my configs, maybe you or someone else can spot something off:

/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wg'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'wg'
        list dhcp_option '6,10.64.0.1'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'
/etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'wg'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'wgzone'

config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option name 'wg dhcp'
        option target 'ACCEPT'
        list proto 'udp'
        option dest_port '67-68'
        option src 'wgzone'

config rule
        option dest_port '53'
        option name 'wg dns'
        option target 'ACCEPT'
        option src 'wgzone'

config zone
        option network 'mullvadzone mullvad'
        option name 'mullvadzone'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'mullvadzone'
        option src 'wgzone'
/etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxx'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.99.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wg'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.98.1'
        option ip6assign '60'
        list dns '10.64.0.1'
        option type 'bridge'

config interface 'mullvad'
        option proto 'wireguard'
        list addresses 'xx.xx.xx.xx/32'
        list addresses 'xxxx:xxxx:xxxx:xxxx::x:xxxx/128'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option force_link '1'
        option listen_port '51820'

config wireguard_mullvad
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option description 'de4'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'xxx.mullvad.net'
        option endpoint_port '51820'
/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'xxxxxxx'
        option ssid 'xxxxxxx'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option network 'wg'
        option key 'xxxxxxx'
        option ssid 'xxxxxxx'
        option encryption 'psk2'
  • Make new network (seems like you've done that and named it wg)
  • Make route for default via mullvad on another table (e.g. Table No. 2):
# in /etc/config/network
config route
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'
	option interface 'mullvad'
  • Make an routing rule for the WiFi network wg to use interface mullvad:
# in /etc/config/network
config rule
	option in 'wg'
	option dest '0.0.0.0/0'
	option priority '10'
	option lookup '2'
  • Done!
1 Like

Fantastic, it is working!!

@lleachii and @mk24 Thank you both very much, I really appreciate the help :slight_smile:

1 Like

Ok, celebrated slightly too early. The above changes do indeed cause the two networks to act as I want them to, however this caused some issues accessing the router:

When I'm connected to the vpn'ed network, I am unable to log in to the router, neither through the web interface nor ssh ("Connection refused"). If I log into the non-vpn'ed network I am able to log into the router via ssh, but the web interface throws the following error:

/usr/lib/lua/luci/dispatcher.lua:692: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
	[C]: in function 'pairs'
	/usr/lib/lua/luci/dispatcher.lua:692: in function 'createtree'
	/usr/lib/lua/luci/dispatcher.lua:347: in function 'dispatch'
	/usr/lib/lua/luci/dispatcher.lua:208: in function </usr/lib/lua/luci/dispatcher.lua:207>

Edit: Deleting /tmp/luci-indexcache takes care of the error message and the web interface works normally again, but it's still not accessible from the vpn'ed network.

Correct!

That's how VPNs work...otherwise you'd have a leak! :wink:

That seems like simply allowing inbound from the wg network on the firewall settings. If not, look below.


You would have to use the list addresses 'xx.xx.xx.xx/32 IP if you permit inbound to the router.

Odd...yea, that seemed unrelated.

OK...try using the mullivad IP...if not, you will also need to:

  • add a route to table 2 to reach 192.168.99.0/24 via lan
  • make sure your firewall allows it

With regular firewall rules you should be able to log into the router from the vpn user network using the router's IP on that network: 192.168.98.1. Much like a guest network though you likely want to block that. The only service that VPN users need from your router is to get a DHCP address. They also should be pushed a DNS server that is reachable via VPN.

The 192.168.99.1 network won't be accessible to VPN users, and that is important for security.

1 Like

Thanks for all the responses!

I should have been clearer:

  • when I'm connected to the lan network I try to access the router by 192.168.99.1 - successfully
  • when I'm connected to the wg network I try to access the router by 192.168.98.1 - no luck there

I'm generally connected to the vpn'ed network (only for occasional things do I have to use the "plain" one) so it would be very helpful to be able to access the router from both.

I guess what I need to set is either the right route or there's some firewall setting I'm missing to make this work (or both)...

Edit: As @lleachii suggested, all I needed to do was allow inbound from the wg network. I though I had that set already when I actually hadn't. It's all working now :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.