I've got everything all installed and I think working but don't have the firewall correct. I have to create a seperate interface for each wireguard connection, which I did but when I edit a vpn server interface firewll settings, its a mess usually listing ALL my vpn servers. My setup is simple. Modem wired>router>wired to computers. Some of you whizz's I'm sure will see what I did wrong in firewall. Thanks
Does this reflect what you want to do, what you did, or what you think you need to do?
There isn’t a clear question here, nor is there anything to diagnose or read. Let’s see your config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Command 'ubus' not found, did you mean:
command 'ibus' from deb ibus (1.5.26-4)
command 'bus' from deb atm-tools (1:2.5.1-4build2)
Try: sudo apt install <deb name>
cat: /etc/config/network: No such file or directory
cat: /etc/config/wireless: No such file or directory
cat: /etc/config/dhcp: No such file or directory
cat: /etc/config/firewall: No such file or directory
Well, that was not a good start for me.
That was via ssh and "host key verification failed"
and there was not an option for password or click Y/N.
The error/warning usually tells you how to fix the issue.
ssh root@192.168.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:eWIMn05wfaQsrlHk2WCFrl5iNYbVyS5VQ1uLIJUQJhw.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/me/.ssh/known_hosts:1
remove with:
ssh-keygen -f "/home/me/.ssh/known_hosts" -R "192.168.1.1"
Host key for 192.168.1.1 has changed and you have requested strict checking.
Host key verification failed.
It does indeed 
ubus call system board
{
"kernel": "6.6.127",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "GL.iNet GL-A1300",
"board_name": "glinet,gl-a1300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.6",
"revision": "r29141-81be8a8869",
"target": "ipq40xx/generic",
"description": "OpenWrt 24.10.6 r29141-81be8a8869",
"builddate": "1773709139"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'snip::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'auto'
option norelease '1'
config interface 'IVPNNY'
option proto 'wireguard'
option private_key 'snip'
option mtu '1412'
list dns '9.9.9.9'
list dns '149.112.112.112'
list addresses 'snip'
config interface 'IVPNLA'
option proto 'wireguard'
option private_key 'snip='
option mtu '1412'
list dns '9.9.9.9'
list dns '149.112.112.112'
list addresses 'snip'
config interface 'IVPNCHI'
option proto 'wireguard'
option private_key 'snip='
option mtu '1412'
list dns '9.9.9.9'
list dns '149.112.112.112'
config wireguard_IVPNNY
config wireguard_IVPNNY
option public_key 'snip'
list allowed_ips '0.0.0.0/0'
option description 'VPNNY'
option persistent_keepalive '25'
option endpoint_host 'snip'
option endpoint_port 'snip'
option route_allowed_ips '1'
config interface 'IVPNDAL4'
option proto 'wireguard'
option private_key 'snip'
list dns '9.9.9.9'
list addresses 'snip'
config wireguard_IVPNLA
option description 'IVPNLA'
option public_key '6snip'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '8snip'
option endpoint_port 'snip'
config wireguard_IVPNCHI
option description 'IVPNCHI'
option public_key 'snip'
option private_key 'snip'
option route_allowed_ips '1'
option endpoint_host 'snip'
option endpoint_port '2049'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option channel '1'
option txpower '1'
option country 'US'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'snip'
option encryption 'sae-mixed'
option macaddr 'random'
option ocv '0'
option disabled '1'
option key ''
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option channel '36'
option htmode 'VHT80'
option txpower '1'
option country 'US'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'snip'
option encryption 'sae-mixed'
option ocv '0'
option disabled '1'
option key 'snip'
option macaddr 'snip'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'IVPNNY'
list network 'IVPNDAL4'
option family 'ipv4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'IVPNfw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'IVPNCHI'
list network 'IVPNDAL4'
list network 'IVPNLA'
list network 'IVPNNY'
list network 'lan'
list network 'wan'
config forwarding
option src 'lan'
option dest 'IVPNfw'
Yup... you've made a mess out of this. Simple to fix, but the issue is that each network can be a member of one and only one firewall zone. You also do not want to mix the lan and wan in a single zone, and your VPNs should be in their own zone or in the wan zone.
Just reviewing your firewall...
delete the lan and wan networks from this:
Delete the VPNs from here:
Then try again.
No matter how much I read about OpenWRT, this never gets easy, even for a simple setup. I have 4 vpn interfaces, a Lan, a Wan and a Wan6. I set up a firewall for each as I thought it needed it. So, to be clear, you want me to delete the firewall in each of the vpn settings for each server to start with? I think one of the errors I made was the individual firewalls, when I really only need one on the Lan or Wan or both. Is that correct?
I'll summarize... for your needs:
- lan firewall zone
- contains the lan network
- default is configured properly
- don't add/remove/edit this zone.
- wan firewall zone
- contains the wan and wan6 networks (that's IPv4 and IPv6 respectively).
- default is configured properly
- don't add/remove/edit this zone.
- vpn firewall zone (you created this one)
- zone policies should mirror that of the wan firewall zone (input and forward = reject, output = accept, masquerading enabled)
- this will contain your VPN network(s)
- this also requires forwarding from lan > vpn (which you've added) to allow the lan to use the VPN.
The other part is the network assignment into zones...
- Each network may only exist in one zone.
- A zone may contain one or many networks
- Zones generally represent logical assignments/groupings of networks... that is to say
- the lan is trusted and represents your local network(s)
- the wan is untrusted and represents the upstream/internet connection
- new zones can be added
- in your case the vpn zone
- the VPN zone can contain all of your vpns since they are logically the same.
- Because these are commercial VPNs, they are treated similarly to the wan
- They could exist in the wan firewall zone (and only there)
- But since it is sometimes desirable to have a 'kill switch' to prevent traffic that is not flowing via a VPN tunnel, it can be a good idea to have them in a separate zone but with similar zone policies.
What’s the easiest way to if possible, to just reset all the networking to default and start this mess all over? I’m seeing handshakes on 3 of 4 of my vpn servers and small dat and packets but no connection to internet. Things got all screwed up when I thought the list of servers would just upload and populate by themselves, they didn’t so I added them individually and now the network is just wasted work. Likely best to start over on the networking side. I guess most people who do this stuff must have PhD’s in networking. The majority of us do not.
If you want to reset:
- Via LuCI web interface:
System > Backup / Flash Firmware > Restore > Perform Reset - Or via ssh:
firstboot -y && reboot
You should only have a single VPN tunnel active at a time (unless you use Policy Based Routing or mwan3 to manage the routes). It's hard to diagnose your issues with so little info, but maybe you can remove 3 of them and try just one VPN to see if it works properly.
How exactly do you expect this to work? What is the automatic mechanism you were thinking would do this?
It's always best to start simple. Setup one VPN connection. Test it. If it doesn't work, troubleshoot/debug until it's fixed. This way you don't make the same mistake multiple times and/or discover that you've layered things in a way that breaks the config.
Probably not a bad idea. But best to follow established guides. (note: not all steps apply in all circumstances -- some VPNs handle certain parts of the key generation process):
Most of us are enthusiasts who have learned this stuff over years of "hobby" tinkering. I'm not a professional network engineer (although the experience and knowledge I've gained via this hobby has significantly benefited my career). That said, this is all stuff that just takes some time to learn... I'm convinced that most people can learn it if they choose, just comes down to a matter of how interested they are.
I keep getting status upgrades from openwrt for the time I’ve spent online which has to be close to or 3/4 of a work week, so yeah, to me, it looks like I’m trying. Will this reset take me back to the base 24.10.6 or back to OEM ?
I'm not sure what you mean by this.
It will take you back to the default configuration of 24.10.6.
That said, this would be a good time to upgrade to 25.12.2 (uncheck the 'keep settings' checkbox and it will reset to defaults during the upgrade process).
I just got an email today from this website saying it saw how much time I was spending online and encouraged me to do more time here and post. I’m sure I got close to 40 hours on this site, just reading. I’m doing the reset now and I will take the chance to upgrade to 25 also. Thanks for your time and patience. I get it, I teach in other subject areas that can be complex and especially when you volunteer, your not expecting much pushback and expect them to do their part. I appreciate you and am doing my part and will start in again. It seems to be stuck on “
Erasing...
The system is erasing the configuration partition now and will reboot itself when finished.
It’s been there even after the reboot and it’s been about 10-15 minutes. When is it safe to do something as no options are available thru Luci?
Ah... so it was the forum software. Not the OpenWrt firmware.
Can you take me through the steps you took prior to it getting stuck there?
Just like that.
You should be able to reboot it (pull the power cable for a few seconds) and it should come back with the default address (192.168.1.1).
Ok, I’m back to the original setup. Got Wireguard all installed and I’ve installed 1 vpn server according to their setup and stopped there. Done nothing with a firewall this time. Next step?
Do this (or re-do it, as the case may be):