Issue with configuring NordLynx

mediumok · March 6, 2023, 5:47pm

Hello.

Recently I installed OpenWRT on my Xiaomi Mi Router 4A (100M), so I could use my NordVPN on all of my devices at home.

I successfully configured OpenVPN, but when connected my internet speed drops drastically (8 Mbps from 50 Mbps). So I tried to config Wireguard using these guides.

I followed both of these guides and from my understanding did it correctly. But when I reboot my router, internet connection (through L2TP) doesn't seem to establish.

Hope somebody can help me with my problem.

Below are network and firewall config files:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd2:2b5e:2e68::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'macaddr'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'macaddr'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'nordvpntun'
	option ifname 'tun0'
	option proto 'none'

config interface 'beeline'
	option proto 'l2tp'
	option password 'password'
	option ipv6 'auto'
	option mtu '1460'
	option username 'username'
	option server 'tp.internet.beeline.ru'

config interface 'nordlynx'
	option proto 'wireguard'
	option private_key 'private_key'
	list addresses '10.5.0.2/32'
	option dns '103.86.96.100 103.86.99.100'

config wireguard_nordlynx
	option public_key 'public_key'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '217.138.197.51'
	option endpoint_port '51820'
	option description 'it197'
	option route_allowed_ips '1'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'beeline'
	list network 'nordlynx'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	list network 'vpnfirewall'
	list network 'nordvpntun'

config forwarding
	option dest 'vpnfirewall'
	option src 'lan'

mk24 · March 6, 2023, 6:03pm

You will need to add some additional routes so that raw packets will be sent to Beeline's L2TP server instead of the Wireguard tunnel. Also it appears that tp.internet.beeline.ru can't be resolved on the general Internet, so you will need a route exception to Beeline's DNS server-- or install the server as a numeric IP, assuming it never changes.

mediumok · March 6, 2023, 6:39pm

Thanks for a quick response.

Got to say my knowledge of networks is little to none. It'd be very helpful if you can point me to where and what do I need to change.

mediumok · March 11, 2023, 3:00pm

Quick update.

or install the server as a numeric IP, assuming it never changes

It definitely did something helpful, but I still have no idea what should i route and where to.

Appreciate the help.

psherman · October 8, 2023, 12:54am

2 posts were split to a new topic: NordVPN: how i should set private and public key?