Hello there,
I am trying to configure wireguard on openwrt in my netgear nighthawk x4 AC200, model: EX7300v2
it is a Wi-Fi mesh extender, with one ethernet port. The router can act as an extender or as an access point. I am in china, i can access some sites like bing, but cannot access some other like google
I was following the wireguard guide from the mullvad website. I feel stuck cause after creating the wireguard interface and adding a peer, i can perform a handshake with the mullvad servers, but unfortunately i still cannot access sites like google. I can only open the ones allowed on the china great firewall like bing and luckily openwrt.
is there a way you guys could help me out.
here are some configuration and diagnostic information
C:\Users\DELL>ssh root@192.168.1.3
root@192.168.1.3's password:
BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.0, r23497-6637af95aa
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA550X ver 1 rev 0",
"model": "Netgear EX7300 v2",
"board_name": "netgear,ex7300-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdeb:bd7b:db54::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wg0_int'
option proto 'wireguard'
option private_key 'redacted'
option force_link '1'
list addresses 'fc00:bbbb:bbbb:bb01::2:74e7/128'
list addresses '10.65.116.232/32'
option mtu '1280'
list dns '10.64.0.1'
config wireguard_wg0_int
option description 'au-adl-wg-301'
option public_key 'rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option endpoint_host '103.214.20.50'
option endpoint_port '3099'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'CN'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt8'
option encryption 'psk2'
option key '00998877'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0_int'
config forwarding
option src 'lan'
option dest 'WGZONE'
root@OpenWrt:~# wg show
interface: wg0_int
public key: wMmu2t4KvOETXc1uQsg8TXqkohTso26UBcN2dvQUJzA=
private key: (hidden)
listening port: 55016
peer: rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw=
endpoint: 103.214.20.50:3099
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 43 seconds ago
transfer: 230.95 KiB received, 192.38 KiB sent
persistent keepalive: every 25 seconds
Alternative solution could be to use Tailscale Mesh VP based on WireGuard. You would need to place a Tailscale Exit node outside the PRC and then connect to the Tailscale Exit Node using Tailscale Clients from within the PRC.
An Apple TV outside the PRC acting as a Tailscale Exit Node would be sufficient.
That would be the preferred method of connection as it is end-to-end encryption. Tailscale clients are not bound to connecting to the Exit Node via your home Router as no Router configuration is involved. A connection to the Exit Node is made directly and is possible from anywhere in the world.
Tailscale is free for the first 100 devices.
For inbound access to your home network the EX7300 V2 would need to be setup as a Tailscale Exit Node and the same rules of access would apply for Tailscale Clients.
Edit: I forgot to mention Tailscale offers a VPN Provider integration service with Mullvad, but there are some limitations, see the Tailscale website for details.
I do think this is what is happening, from the luci interface, in diagnostics, if i try to ping google.com or 8.8.8.8, 0% packet loss
i just finished setting up the guest wi-fi, unfortunately, when i connect to the guestwifi, i get no internet connection at all, no google, no bing, no openwrt as well
It helps if you show your configs again, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
i tried to change to this, still didn't help
i had set it to 3099 matching the port listed on the server list in mullvad's website, cause someone in another thread said they had a problem when it was at 51820 instead of the one in the website
should i be concerned?
It says server location is adelaide, australia, which is same city where the mullvad server in my peer is using, this one au-adl-wg-301
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
About the DNS, if the origin of the DNS is the same as the origin of the IP address I should not be worried. because your DNS request then goes via the tunnel.
If you wan to only use the DNS server from Mullvad you can try to Disable/uncheck "Use DNS servers advertised by peer" on the Advanced tab of the LAN interface
option peerdns '0'
But as the Mullvad DNS server is only available after the tunnel is up that opens a whole new can of worms so be careful with this.
Mullvad uses an IP address as endpoint so that should work but you also need more or less correct time so probably use an IP address for time server also
I really think there should be an app or pulldown option where people can select their vpn provider. That would help new to vpn people so much.
When I do some configuring and look at "unsaved changes" I see uci commands fly by. If that contains the commands to add a vpn for express, proton, nord, mullvad and the like, I think that would make a lot of people really happy.
yaah, i really shouldn't be concerned, i also noticed the dns leak in the check even when using the mullvad app with another router
on the side note, Is it possible if I want to set this guest wi-fi to be as normal as possible, like by disabling the traffic rules which block the clients on this guest wi-fi to be connected to other devices? cause i just noticed, a Chromecast device i own cannot connect to this wi-fi, also my google home mini and the smart tv can't connect to this guest wi-fi. Only my laptop can do it smoothly, my smartphone kinda struggles but after a few reconnections, it connects stably. I have another xiaomi router which i couldn't flash, when i set it to act as a wi-fi extender, it would not detect the guest wi-fi
If you mean the Chromecast cannot connect to the wifi then check your channel and security settings, usually WPA2- PSK with CCMP (AES) works for most things
If you mean you cannot connect to the Chromecast and TV from other subnets then that is indeed not possible out of the box.
For discovery you need to be on the same subnet.
It is possible to have this working between subnets, for Chromecast which relies on mDNS you need mDNS/Avahi, for media servers which work with SSDP/DLNA you need e.g SMCroute.
