Is there any way to implement cloudflare warp free vpn in OpenWrt router?

Wait...

What is the src IP of this client???

whe src ip of the client is... 192.168.1.100 or else... hmm

here is the config with the changes i did, will post network and firewall, please see if it is ok, did the re route thing



~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.1.1.2'

config device
        option name 'eth1'
        option ipv6 '0'
        option igmpversion '3'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wiro'
        option proto 'wireguard'
        option peerdns '0'
        list addresses '2606:4700:110:87e9:d16e:c246:7da0:7976/128'
        list addresses '172.16.0.2/24'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option force_link '1'
        option private_key '1'

config wireguard_wiro
        option description 'wgcf-profile.conf'
        option public_key '1'
        list allowed_ips '0.0.0.0/0,::/0'
        option endpoint_host '162.159.192.1'
        option endpoint_port '2408'
        option route_allowed_ips '1'
        option persistent_keepalive '10'
~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wan6'
        list network 'wiro'


config zone
    option name 'wirozn'
    option input 'DROP'
    option forward 'DROP'
    list network 'wiro'
    option masq '1'
    option output 'DROP'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'





config forwarding
    option src 'lan'
    option dest 'wirozn'

config rule
    option name 'Allow_Wireguard_OUT'
    option family 'ipv4'
    list proto 'udp'
    option dest 'wan'
    list dest_ip '162.159.192.1'
    option dest_port '2408'
    option target 'ACCEPT'

config forwarding
       option src 'lan'
       option dest 'wan'

as you can see, followed the manual and fowarded all traffic to wirozn (wireguard adapter zone) added also a out rule to allow wireguard traffic go out

cloudflare does not offer a client, nor for openwrt, nor opensense, and i am not an abuser, just doing lawfull stuff

Won't work, you made a rule to use the tunnel.

(You'll have to really have to learn about routes/rules and add all the rules you need.)

You can add a route for 192.168.1.0/24 to lookup table main - priority 2...or make a separate network for devices to use VPN....or

:+1:

But where are the routes and rules???

You dont need my example if you use this.

???

1 Like

ok captain, thanks for your time , i removed as you suggested: from wiro this :

list network 'wiro'

it left like this


config interface 'wiro'
        option proto 'wireguard'
        option peerdns '0'
        list addresses '2606:4700:110:87e9:d16e:c246:7da0:7976/128'
        list addresses '172.16.0.2/24'
        option force_link '1'

also removed

  list dns '1.1.1.1'
  list dns '1.0.0.1'

it left like this

config interface 'wiro'
        option proto 'wireguard'
        option private_key 'e'
        option peerdns '0'
        list addresses '2606:4700:110:87e9:d16e:c246:7da0:7976/128'
        list addresses '172.16.0.2/24'

changed

option endpoint_host 'engage.cloudflareclient.com'

to

option endpoint_host '162.159.192.1'

so no need of dns to fetch ip,

lastly, and thank you for your time:

as removed list 1.1.1.1 from wiro interface

added it to dhcp as you suggested, a question, what does it means that '6' you added before dns ip? sorry for my ignorance


config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '10m'
option dhcpv4 'server'
option dhcpv6 'server'
list dhcp_option '6,1.1.1.1,1.0.0.1'

also removed the * force link 1 * cause, i tought it could be useful to have the interface always up, forced

i removed it since it was throwing at me this error

so instead of that i will try adding this (your solution)

config route                      
        option interface 'foo_warp1'
        option target '0.0.0.0/0'
        option table '1' 

config rule                
        option src '192.168.1.0/24'                       
        option dest '0.0.0.0/0'
        option priority '1' #order in IP_rules
        option lookup '1' #table_assigned

i am a rookie, i am sorry, do you know a good guide for it? last day saw a techie here which configured like 6 vpns on a same openwrt router... i hope some day to reach that illumination level

Remove:

Not ignorant. Adding that to LAN's DHCP config It means you're issuing a custom DHCP Option No. 6 to LAN clients. Option No. 6 is DNS Servers. I was gonna send a link with the information and config example, but was concerned that you might copy it verbatim. See No. 6 in table on the following link:

  1. Is your VPN working?

config rule
        option dest '192.168.1.0/24'
        option priority '2'
        option lookup 'main'
  1. Guide...ummmmm:

:spiral_notepad: I'm not keeping track of the priority numbers, they must be unique, and they are considered in descending order - beginning with 1 (the first admin-configurable priority number). Tables are unique too and must be numbered (naming them requires another file config).

so the pbr service will help me to create a vpn pre route policy?

???

I'm not sure what that means.

It does the same things as config route and config rule

See:

1 Like

aight sir, thanks, well, i do not know, theorically ? yes, cause everytime i throw a wg

it says it is online

peer: ---------
  endpoint: 162.159.192.1:2408
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 41 seconds ago
  transfer: 2.16 KiB received, 13.12 KiB sent
  persistent keepalive: every 10 seconds

ok so, theorically i just have to do this

add this to firewall and

config route                      
        option interface 'wiro'
        option target '0.0.0.0/0'
        option table '1' 

config rule                
        option src '192.168.1.0/24'                       
        option dest '0.0.0.0/0'
        option priority '1' #order in IP_rules
        option lookup '1' #table_assigned

and this ?

config rule
        option dest '192.168.1.0/24'
        option priority '2'
        option lookup 'main'

or use both?

config rule                
        option src '192.168.1.0/24'                       
        option dest '0.0.0.0/0'
        option priority '1' #order in IP_rules
        option lookup '1' #table_assigned

config rule
        option dest '192.168.1.0/24'
        option priority '2'
        option lookup 'main'

or just replace the one with option src with this one?

config rule
        option dest '192.168.1.0/24'
        option priority '2'
        option lookup 'main'

You can know...from the thread I linked:

:+1:

:spiral_notepad: How about trying a What Is [Your] IP website and seeing if your ISP is Cloudflare??? :wink:

warp off
gate off

i do it everytime i change a value in the config, with hope to see the fabulous warp ip, but it does not, it just.. snaps... :face_in_clouds: :pensive: wasted almost a week of no sleep but i will not surrender until i find a way to make i work,

I have no clue what you mean, so here it is in-whole:

config route                      
        option interface 'wiro'
        option target '0.0.0.0/0'
        option table '1' 

config rule #<---this should fix all the errors you were getting
        option dest '192.168.1.0/24'
        option priority '1'
        option lookup 'main'

config rule                
        option src '192.168.1.0/24'                       
        option dest '0.0.0.0/0'
        option priority '2' #order in IP_rules
        option lookup '1' #table_assigned

That's OK.

  • Are you using 1.1.1.1 for DNS?
  • What is your IP is it Cloudflare?
  • You are on a LAN-connected client, correct?

(Kinda difficult when you're not providing information.)

EDIT: note I reversed the order of the rules. :wink:

added this to /firewall

config rule
option dest '192.168.1.0/24'
option priority '2'
option lookup 'main'

still getting isp ip not warp ip

yes, as the manual says

it is my isp ip... not cloudflare

wlan wireless lan

What!?!?

No.

This all goes in /etc/config/network

This goes in /etc/config/dhcp

This goes in /etc/config/firewall

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wiro' #<---add

:spiral_notepad: Keep the wiro WG network config [obviously].
Done. Nothing more, nothing less. Please let us know if this works.

Not sure why you edited this, though.

1 Like

Oh my god ! sorry for the hazing and the blunder , once i am at home i will try that config correctly, see you back in 10 hours , have a nice day and thanks for your time, i tip my hat !!

hello i am back to the bunker, well i just wanted to have small lease time

added everything as you told me, i hope it could work, will keep you updated, ty

OH MY GOD, IT WORKED MAN, FRANKENSTEIN HAS RISEN

you deserve 0.003 btc :face_in_clouds:

Glad that this is working... and kudos to @lleachii for all the help!

@thejoke123 - please post the complete solution (i.e. firewall and network files) so that others may benefit... it seems that many people have had difficulty setting up CFW, and I'm not sure that there is a single post where the entire solution has been consoldated.

2 Likes

i tought using luci was better, but i was wrong, the best is using pure ssh...

---- config ---


 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'


config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
config device
        option name 'eth1'
        option ipv6 '0'
        option igmpversion '3'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wiro'
        option proto 'wireguard'
        list addresses '2606:4700:110:87e9:d16e:c246:7da0:7976/128'
        list addresses '172.16.0.2/24'
        option private_key '---'

config wireguard_wiro
        option description 'wgcf-profile.conf'
        option public_key '---'
        list allowed_ips '0.0.0.0/0,::/0'
        option endpoint_host '162.159.192.1'
        option endpoint_port '2408'
        option route_allowed_ips '1'
        option persistent_keepalive '10'


config route
        option interface 'wiro'
        option target '0.0.0.0/0'
        option table '1'

config rule #<---this should fix all the errors you were getting
        option dest '192.168.1.0/24'
        option priority '1'
        option lookup 'main'

config rule
        option src '192.168.1.0/24'
        option dest '0.0.0.0/0'
        option priority '2' #order in IP_rules
        option lookup '1' #table_assigned

----------------------------------------------------------------


 cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wan6'
        list network 'wiro'

config zone
    option name 'wirezone'
    option input 'DROP'
    option forward 'DROP'
    list network 'wiro'
    option masq '1'
    option output 'DROP'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'





config forwarding
    option src 'lan'
    option dest 'wirezone'

config rule
    option name 'Allow_Wireguard_OUT'
    option family 'ipv4'
    list proto 'udp'
    option dest 'wan'
    list dest_ip '162.159.192.1'
    option dest_port '2408'
    option target 'ACCEPT'

config forwarding
       option src 'lan'
       option dest 'wan'


-------------------------------------------

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'


config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '10m'
option dhcpv4 'server'
option dhcpv6 'server'
list dhcp_option '6,1.1.1.1,1.0.0.1'



config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

i hope it serve of utility for someone.... big thanks for everyone...

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.