Yeah, exactly.
I want to connect to my raspberry pi and the raspberry pi needs to be my vpn.
Because my purpose/goal is that I want to connect my Apple TV to my raspberry pi because the pi can provide me an vpn connection.
1 Like
There are 0 bytes received and no "last handshake," which means the server isn't responding to you. This is either a problem with the underlying Internet connection, or because the keys don't match. Wireguard can be harder to troubleshoot than OpenVPN because it doesn't log anything.
If you have set allowed_ips to 0.0.0.0 and route_allowed_ips is enabled, then all Internet access will be routed via the tunnel. This can be checked by examining the routing table.
1 Like
So one test is to verify clients connected through the RPi connect through VPN and a crude test would be to visit whatismyip.com for a client and check IP that gets reported corresponds to NordVPN server and not your ISP's IP.
If you have set allowed_ips to 0.0.0.0 and route_allowed_ips is enabled, then all Internet access will be routed via the tunnel.
I already done this, thanks!
The routing thing can be slightly fiddly at first. I set up VPN with 'wan' failover using:
@mk24 will that work in @MennoEmmerik's use case?
@MennoEmmerik you could also have your RPi redirect DNS through stubby such that they are encrypted. Otherwise DNS queries will go out as plain text. But maybe you don't care about that since it's just for Apple TV (rather than anything requiring paranoid security).
Hahah I got it, but Apple TV doesn't support VPN so yeah I can understand your security quote 
But euhm my raspberry pi, with OpenWRT on it, is connected to my home network wirelessly (wwan). On that way I can connected to the internet. And when I am writing this, I got lost track of everything 
I cannot even execute the command "opkg update" and I can't even ping. So you know what I do have written down the details I need and I will start over again.
Get the simple case of everything on the Pi going by VPN working first, then look at finer points like policy routing.
1 Like
All the other packages I can install them except this one. Is that a problem? (and with "all the other packages" I mean: kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard-tools)
There is no package just called wireguard. You have installed everything needed for wireguard.
- kmod-wireguard: kernel module
- wireguard-tools: CLI and UCI support
- luci-proto-wireguard: LuCI user interface
Each one depends on the ones above it.
1 Like
Aaah okay, thanks!
If you follow the video at the top of this topic, then at some point you will see that he uses a usb wifi adapter and a VPN service (specifically Nordvpn). But I try to recreate te video but for my own. And I am still failing, over and over again.
If I add the wireguard interface my 'wwan' just stop working.
The wireguard interface should be in the wan firewall zone, so that requests for the Internet NAT through it.
Run route and post the result. You should see wireguard added a route to the NordVPN server (/32) so that the encrypted packets don't try to go into the tunnel, they go via your local ISP. Then it adds two /1 routes 0.0.0.0 and 128.0.0.0 so every other request for the Internet goes via the tunnel.
I will try to add wireguard to the "wan" I am still a noob in networking
I think I added wireguard to the 'wan' firewall. And for the route command, do I need to enter something next to it?
I still don't have the "handshake" from wireguard, what am I missing?
i am going to try this
I am thinking this needs configuring properly as an access point. Is this to be a dumb access point (so main router gives out IP addresses to clients?).
I am just trying to recreate the video of the beardman, and I am not that good in networking.
So I am sorry that I do not really understand what you are saying right now.
At this point, it would probably be most effective for you to show your configuration (in text form):
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
That's also a option , I will do that give me a moment.
Network output:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf2:a309:9b81::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option force_link '1'
option ip4table '1'
option ip6table '1'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
option dns '103.86.96.100 103.86.99.100'
config interface 'interface_wg'
option proto 'wireguard'
option private_key '<private_key>'
list addresses '10.5.0.2'
config wireguard_interface_wg
option description 'nordlynx'
option public_key '<public-key>'
list allowed_ips '0.0.0.0/0'
option endpoint_host '213.152.188.18'
option persistent_keepalive '25'
config rule 'lan_wan'
option in 'lan'
option lookup '2'
option priority '40000'
config rule6 'lan_wan6'
option in 'lan'
option lookup '2'
option priority '40000'
My firewall output:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'interface_wg'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
1 Like
You haven't specified the endpoint port...
You'll add a line like this:
option endpoint_port '51820'
(or whatever port is specified by nordlynx).