Hello,
Help with solving a simple problem. It is necessary to pass all traffic (including DNS ) through the tunnel wireguard. Currently, the tunnel through wireguard is working(we have a handshake), but to wrap all traffic in it does not go.
config on RPI 3 B, 18.06.02.
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option ifname 'eth0'
config interface 'wwan'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
config interface 'wg0'
option private_key 'xxxx'
list addresses '10.9.0.2/24'
option listen_port '54541'
option proto 'wireguard'
option peerdns '0'
config wireguard_wg0
option public_key 'xxxx'
option allowed_ips '0.0.0.0/0'
option endpoint_host 'x.x.x.x'
option persistent_keepalive '25'
option endpoint_port '54541'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'DROP'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'DROP'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
option family 'ipv6'
option target 'DROP'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option icmp_type 'echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
option target 'DROP'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option icmp_type 'echo-reply destination-unreachable echo-request time-exceeded'
option dest '*'
option target 'DROP'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'DROP'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'DROP'
config include
option path '/etc/firewall.user'
config redirect
option name 'Divert-DNS'
option src 'lan'
option proto 'tcpudp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config zone
option name 'wg'
option family 'ipv4'
option masq '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option mtu_fix '1'
option network 'wg0'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'Lan to wg'
option proto 'all'
option dest 'wg'
ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.16.0.10/24 brd 172.16.0.255 scope global wlan1
valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
inet 10.9.0.2/24 brd 10.9.0.255 scope global wg0
valid_lft forever preferred_lft forever
ip -4 r
default via 172.16.0.1 dev wlan1 proto static src 172.16.0.10
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.2
x.x.x.x via 172.16.0.1 dev wlan1 proto static
172.16.0.0/24 dev wlan1 proto kernel scope link src 172.16.0.10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option localuse '1'
list server '127.0.0.53'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '24h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/tmp/resolv.conf
# Interface wwan (Why WAN and not lan? dnscrypt v2 works fine, dnsleaktest.com never showed leaks)