Configuration Wireguard

Post them one more time to see what is missing:
uci export network; uci export firewall; ip -4 addr; ip -4 ru; ip -4 ro; ip -4 ro ls table all

1 Like
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fc00:bbbb:bbbb:bb01::1:e034/128'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1 eth2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.99.1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option force_link '1'
        option private_key '70RkyC6CU5wp54oxuZ+BHhasUrHO29lPxoAD1jIU+04='
        option listen_port '51820'
        list addresses '10.64.224.53/32'

config wireguard_WGINTERFACE
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'v02a3f1hdtTFD+bzStbGN6FxwOMAA/4d/yjNKoLTXFI='
        option endpoint_host '185.65.135.71'
        option endpoint_port '51820'

config rule
        option in 'lan'
        option src '192.168.99.159/32'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'
        option gateway '81.224.36.163'

package firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option network 'wan wan6'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'WGZONE'
        option masq '1'
        option mtu_fix '1'
        option network 'WGINTERFACE'
        option input 'REJECT'

config forwarding
        option dest 'WGZONE'
        option src 'lan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 81.224.36.163/24 brd 81.224.36.255 scope global eth0
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.99.1/24 brd 192.168.99.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: WGINTERFACE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.64.224.53/32 brd 255.255.255.255 scope global WGINTERFACE
       valid_lft forever preferred_lft forever
0:      from all lookup local
1:      from 192.168.99.159 iif br-lan lookup 100
32766:  from all lookup main
32767:  from all lookup default
default dev WGINTERFACE proto static scope link
81.224.36.0/24 dev eth0 proto kernel scope link src 81.224.36.163
185.65.135.71 via 81.224.36.1 dev eth0 proto static
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
default dev eth0 table 100 proto static scope link
default dev WGINTERFACE proto static scope link
81.224.36.0/24 dev eth0 proto kernel scope link src 81.224.36.163
185.65.135.71 via 81.224.36.1 dev eth0 proto static
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
local 10.64.224.53 dev WGINTERFACE table local proto kernel scope host src 10.64.224.53
broadcast 81.224.36.0 dev eth0 table local proto kernel scope link src 81.224.36.163
local 81.224.36.163 dev eth0 table local proto kernel scope host src 81.224.36.163
broadcast 81.224.36.255 dev eth0 table local proto kernel scope link src 81.224.36.163
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.99.0 dev br-lan table local proto kernel scope link src 192.168.99.1
local 192.168.99.1 dev br-lan table local proto kernel scope host src 192.168.99.1
broadcast 192.168.99.255 dev br-lan table local proto kernel scope link src 192.168.99.1

The gateway is wrong, you need to use 81.224.36.1 not the wan interface IP.
Second you deleted the lan->wan forwarding from the Mullvad guide, so you need to allow at least the tv to access the internet.
Add this in firewall configuration:

config rule
        option target 'ACCEPT'
        option src 'lan'
        option family 'ipv4'
        option proto 'all'
        option dest 'wan'
        option name 'forward tv'
        option src_ip '192.168.88.159'
1 Like

IT WORKS! You are awesome dude! Thank your for all the time you have spent on me and helped a newbie! Thank, Thank, Thank you!! :slight_smile:

1 Like

You're welcome and enjoy!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.