I know you have a solution so this is about clarifying previously posted information.
It is possible to configure OpenWrt as a Tailscale Subnet Router and connect it to a remote Tailscale Exit Node such as an Apple TV. In this scenario individual devices will not need a Tailscale Client installed.
Also note, Content Providers monitor and block traffic coming from VPN Providers, so using them to get around geoblocking can be hit and miss.
Heey
sorry once again
I just got back home and noticed the vpn not working, i am getting no handshakes this time. I even tried to restore to the back up i created right after your advice worked and everything was good. Still no handshakes with the servers
what can i do to solve this?
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdeb:bd7b:db54::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wg0_int'
option proto 'wireguard'
option private_key 'redacted'
option force_link '1'
list addresses 'fc00:bbbb:bbbb:bb01::2:74e7/128'
list addresses '10.65.116.232/32'
option mtu '1280'
list dns '10.64.0.1'
option listen_port '51820'
config wireguard_wg0_int
option description 'au-adl-wg-301'
option public_key 'rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option endpoint_host '103.214.20.50'
option endpoint_port '51820'
option persistent_keepalive '25'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'CN'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt8'
option encryption 'psk2'
option key '00998877'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid '904'
option encryption 'psk2'
option network 'guest'
option key '00998877'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0_int'
config forwarding
option src 'lan'
option dest 'WGZONE'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Guest_DHCP'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest_DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'BLock_Guest_from_Lan'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'
config forwarding
option src 'guest'
option dest 'WGZONE'
root@OpenWrt:~# wg show
interface: wg0_int
public key: wMmu2t4KvOETXc1uQsg8TXqkohTso26UBcN2dvQUJzA=
private key: (hidden)
listening port: 51820
peer: rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw=
endpoint: 103.214.20.50:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 14.89 KiB sent
persistent keepalive: every 25 seconds
There is also the possibility that the server is overcrowded or down for maintenance.
I have a well known VPN provider (Mullvad) but occasionally that happens, I have multiple tunnels with failover, if one tunnel is down the next one is tarted
But I would first research other things e.g. the things already noted by @psherman and general internet etc.
Otherwise make a new WireGuard config and upload that to a second peer, and disable this peer for testing
i have just noticed that whenever i reboot the router, the time is set at 23:02 and continues from there. i'd have to manually sync the time with my browser. but even after sync, i'd still get no handshake
before sync
root@OpenWrt:~# date
Tue Mar 4 23:07:09 CST 2025
after sync
root@OpenWrt:~# date
Wed Mar 5 06:38:27 CST 2025
root@OpenWrt:~# wg show
interface: wg0_int
public key: wMmu2t4KvOETXc1uQsg8TXqkohTso26UBcN2dvQUJzA=
private key: (hidden)
listening port: 59521
peer: rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw=
endpoint: 103.214.20.50:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 740 B sent
persistent keepalive: every 25 seconds
is there a way to solve the sync problem, or do i have to make sure the router never goes off after problem is fixed
i am using mullvad too
i have just tried to add multiple peers, i am not getting handshakes still.
i can add multiple peers to the same interface, right? i just have to make sure i am enabling one at a time
Your device doesn't have a battery-backed realtime clock. This means that it cannot keep time when it is off or rebooted. The system will use the time (and date) of the most recently modified file on the router as the starting point, and then it will perform an NTP sync after the network has been established.
It's a bit of a chicken or egg -- the router cannot reach the internet to sync the time because all traffic is supposed to go through the tunnel but the tunnel cannot be established because the time is wrong.
There are a few ways (you can search the forum for "wireguard after ntp sync")... one way is to use policy based routing to allow the time servers to be reached via the regular wan. Another way is to simply delay the startup of WireGuard until after the time synchronization has been successful.
i searched for this and found a thread on it. i created a routing table for the wireguard interface and the LAN
whenever i reboot now, the time is set correctly
however, my wireguard interface still gets no handshake. I have tried generating new keys via luci, upload the pub keys to mullvad and get new ip address to use, multiple times, still to no avail. using a different peer also doesn't work
is there something else that could be wrong? here is my latest conf
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdeb:bd7b:db54::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wg0_int'
option proto 'wireguard'
option private_key 'redacted'
option force_link '1'
list dns '10.64.0.1'
option ip4table '200'
list addresses 'fc00:bbbb:bbbb:bb01::9:b47c/128'
list addresses '10.72.180.125/32'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config wireguard_wg0_int
option description 'au-syd-wg-104'
option public_key '61Ovy3ObuHqllZK/P/5cOWZnY26SY2csmjzVK1q+fFs='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option endpoint_host '103.136.147.197'
option endpoint_port '51820'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'CN'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt8'
option encryption 'psk2'
option key '00998877'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid '904'
option encryption 'psk2'
option network 'guest'
option key '00998877'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0_int'
config forwarding
option src 'lan'
option dest 'WGZONE'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Guest_DHCP'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest_DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'BLock_Guest_from_Lan'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'
config forwarding
option src 'guest'
option dest 'WGZONE'
root@OpenWrt:~# wg show
interface: wg0_int
public key: Tv7sNVLRq0zRygrELHNXThOOYvp/O43YcCJp47rQyz0=
private key: (hidden)
listening port: 49021
peer: 61Ovy3ObuHqllZK/P/5cOWZnY26SY2csmjzVK1q+fFs=
endpoint: 103.136.147.197:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 5.35 KiB sent
persistent keepalive: every 25 seconds
each config i get from mullvad, has the same priv key, ipv4 and ipv6 address. the difference has been in the peers pub key, and endpoint port. whenever i create a new peer to try, i just change these two details and save and restart the interface. Am i doing this wrong!?