Hello from Columbus Ohio,
I have been trying to get TorGuard, as well as ProtonVPN's Wireguard service to run on an RPi4B with little success.
I have had no success with ProtonVPN, but I am able to get TX and RX traffic on TorGuard New York with no problem but I can not get public internet access from my OpenWRT RPi router. I can get a DHCP assignment off the RPi and have local LAN access. Just no gateway access, and LuCI is showing steady TX and RX traffic on the WG interface. LuCI also shows 0.0.0.0 for a gateway on the home screen for the Wireguard psuedo interface.
Is this correct? I could not find a place in LuCI to enter a gateway, nor any information as to the correct gateway to use.
Thanks in advance for any help you guys can give.
...John...
This is my present configuration:
I am using an 8 gB RPi4B in 64bit mode, running OpenWRT 21.02.
I am using only the single native ETH0 port in trunked mode and a Mikrotik smart switch and several VLANS to split out the DOCSIS WAN Modem and 4 LANS that are on a Ubiquity USG along with several Unifi WiFi units around the house.
The RPi4B is currently running OpenVPN Chicago10G on ProtonVPN quite reliably on eth0.54, but it maxes out at about 50mb x2 on my 500 mb connection. I am trying to get TorGuard NewYork Wireguard to work on eth0.52.
The following is my /etc/config/network file
eth0.56 is my secure network and eth0.10 is the WAN Cable Modem network, and eth0.50 is my IoT network.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd09:c84f:a20f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.54'
option ipv6 '0'
option bridge_empty '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option delegate '0'
option gateway '67.213.221.9'
option defaultroute '0'
list ipaddr '192.168.54.1/24'
config device
option name 'wan'
list ports 'eth0.10'
option ipv6 '0'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.10'
config device
option name 'maint'
list ports 'eth0.56'
option ipv6 '0'
config interface 'maint'
option proto 'dhcp'
option device 'eth0.56'
config interface 'OVPN'
option proto 'none'
option device 'tun0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'tun0'
option ipv6 '0'
config device
option name 'eth0.56'
option type '8021q'
option ifname 'eth0'
option vid '56'
option ipv6 '0'
config device
option name 'eth0.54'
option type '8021q'
option ifname 'eth0'
option vid '54'
option ipv6 '0'
config device
option name 'eth0.10'
option type '8021q'
option ifname 'eth0'
option vid '10'
option ipv6 '0'
config interface 'wg'
option proto 'wireguard'
option private_key 'MNfReQ4V5/Vnp2LduE0k='
option listen_port '51820'
list addresses '10.13.0.197/24'
option peerdns '0'
list dns '9.9.9.9'
option defaultroute '0'
option delegate '0'
config wireguard_wg
option description 'TorGuard - New York'
option public_key 'mKJNLxYF/z9A/t+urG0M='
option endpoint_host '67.213.221.9'
option endpoint_port '1443'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config device
option name 'wg'
option ipv6 '0'
config device
option type '8021q'
option ifname 'eth0'
option vid '52'
option name 'eth0.52'
option mtu '1500'
option macaddr 'DC:A6:32:19:CE:DF'
option txqueuelen '1000'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-lan-wg'
list ports 'eth0.52'
option bridge_empty '1'
option ipv6 '0'
option mtu '1500'
option macaddr 'DC:A6:32:19:CE:DF'
option txqueuelen '1000'
config interface 'LAN_WG'
option proto 'static'
option device 'br-lan-wg'
option ipaddr '192.168.52.1'
option netmask '255.255.255.0'
option broadcast '192.168.52.255'
this is my /etc/config/firewall file
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'lan'
list network 'lan'
config zone
option name 'lan_wg'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'LAN_WG'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wg'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
option name 'ovpn'
list network 'OVPN'
config rule
option name 'Allow-OpenVPN'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option family 'ipv4'
option dest 'ovpn'
config forwarding
option src 'lan'
option dest 'ovpn'
config zone
option name 'wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg'
config forwarding
option src 'lan_wg'
option dest 'wg'