Help setting up Wireguard Client on ASUS RT-AC1200V1 with OpenWrt/having a DNS leak

Hi all,

I'm trying to set-up a Wireguard client and route all of my traffic through it on my Asus RT-AC1200V1 with OpenWrt. I'm currently using a the LuCI to do so - I was able to create the WG interface, set it up, exchange peer information between the VPS that's acting as the WG server and this client.

I know my WG server works, because I was able to set-up a client on my phone and it works correctly; however, with the WG client on the Asus router it either goes directly through the WAN modem address, bypassing the VPN, or I lose the internet connection.

General settings:

image902×818 27.4 KB

Advanced settings:
I used to have the DNS of my VPS in here, but that didn't seem to add that into the WG interface configuration file; either way it didn't work.

image903×940 35 KB

Firewall zones:
I've tried both adding WG to WAN and that didn't work and I've tried to separate the WG into its own zone and configure it such that the LAN traffic goes thru it - I ended up not being able to access the internet.

image959×752 26.2 KB

Traffic rules:

image954×900 52.3 KB

DHCP server:

image901×267 7.19 KB

Peer info:
I'm pretty sure I double and triple checked that I entered everything correctly, but if what's going on points to having me entering something wrong, I'll check again.

image900×940 33.4 KB

I've tried following this and this tutorial, but the first one is pretty much what I did, except I used the LuCI; for the second one, I tried that too except for the DNS configuration section (I'll probably try it right after writing this).

Thank you in advance!

Edit: just in case, adding more/above in text info -

# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc5:ec0e:8bc0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'XX:XX:XX:XX:XX:XX'
        option ipv6 '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'WG0'
        option proto 'wireguard'
        option private_key XXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.8.0.3'
        option defaultroute '0'
        option dns_metric '50'

config wireguard_WG0
        option description 'CloudWGServer'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'XXX.XXX.XXX.XXX'
        option endpoint_port '26535'
        option persistent_keepalive '25'

# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'WG0'
        option interface 'WG0'
        option ignore '1'

# cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg_zone'
        list network 'WG0'
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

I don't know why you need to put a metric on your dns in WireGurard.

I for one would keep wg0 in the Wan firewall zone since you are aiming to send all traffic to the VPS.

The big item is however is allowing the route is missing in your wg0 stanza

route_allowed_ips='1'

Bill,

Just trying out some stuff.

Okay, I put the interface back into WAN firewall zone.

Okay, just added this, as well as put back the DNS address of the VPS into the advanced settings. Still not working.

Run two command and post back.

wg show; ip route show

Edit out your ISP ip address if shown from the second command.

We might need a look at the VPS setting as you did for the Asus.

Bill,

# wg show; ip route show
interface: WG0
  public key: XXXXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: 33096

peer: XXXXXXXXXXXXXXXXXXXXXXXXX (public key of the server)
  endpoint: XXX.XXX.XXX.XXX:26535
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 47 seconds ago
  transfer: 644 B received, 2.44 KiB sent
  persistent keepalive: every 25 seconds
default via 192.168.0.1 dev eth0.2  src 192.168.0.11
XXX.XXX.XXX.XXX (same as the endpoint address in peer, the VPS public IP) via 192.168.0.1 dev eth0.2
192.168.0.0/24 dev eth0.2 scope link  src 192.168.0.11
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

192.168.0.1 is my modem's IP address and 192.168.0.11 is the Asus's IP address on the LAN.

Two item here need modification.

list addresses '10.8.0.3/8

And remove this line.
option defaultroute '0'

Bill,

Thank you, that worked!

That makes sense.

Ah, okay, I had some confusion about the "Use default gateway" option; now I understand this better!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.