Issue with RPi4B w/ TorGuard & Wireguard

Hello from Columbus Ohio,

I have been trying to get TorGuard, as well as ProtonVPN's Wireguard service to run on an RPi4B with little success.

I have had no success with ProtonVPN, but I am able to get TX and RX traffic on TorGuard New York with no problem but I can not get public internet access from my OpenWRT RPi router. I can get a DHCP assignment off the RPi and have local LAN access. Just no gateway access, and LuCI is showing steady TX and RX traffic on the WG interface. LuCI also shows 0.0.0.0 for a gateway on the home screen for the Wireguard psuedo interface.

Is this correct? I could not find a place in LuCI to enter a gateway, nor any information as to the correct gateway to use.

Thanks in advance for any help you guys can give.

...John...

This is my present configuration:

I am using an 8 gB RPi4B in 64bit mode, running OpenWRT 21.02.
I am using only the single native ETH0 port in trunked mode and a Mikrotik smart switch and several VLANS to split out the DOCSIS WAN Modem and 4 LANS that are on a Ubiquity USG along with several Unifi WiFi units around the house.

The RPi4B is currently running OpenVPN Chicago10G on ProtonVPN quite reliably on eth0.54, but it maxes out at about 50mb x2 on my 500 mb connection. I am trying to get TorGuard NewYork Wireguard to work on eth0.52.

The following is my /etc/config/network file

eth0.56 is my secure network and eth0.10 is the WAN Cable Modem network, and eth0.50 is my IoT network.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:c84f:a20f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.54'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option delegate '0'
	option gateway '67.213.221.9'
	option defaultroute '0'
	list ipaddr '192.168.54.1/24'

config device
	option name 'wan'
	list ports 'eth0.10'
	option ipv6 '0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.10'

config device
	option name 'maint'
	list ports 'eth0.56'
	option ipv6 '0'

config interface 'maint'
	option proto 'dhcp'
	option device 'eth0.56'

config interface 'OVPN'
	option proto 'none'
	option device 'tun0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'tun0'
	option ipv6 '0'

config device
	option name 'eth0.56'
	option type '8021q'
	option ifname 'eth0'
	option vid '56'
	option ipv6 '0'

config device
	option name 'eth0.54'
	option type '8021q'
	option ifname 'eth0'
	option vid '54'
	option ipv6 '0'

config device
	option name 'eth0.10'
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option ipv6 '0'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'MNfReQ4V5/Vnp2LduE0k='
	option listen_port '51820'
	list addresses '10.13.0.197/24'
	option peerdns '0'
	list dns '9.9.9.9'
	option defaultroute '0'
	option delegate '0'

config wireguard_wg
	option description 'TorGuard - New York'
	option public_key 'mKJNLxYF/z9A/t+urG0M='
	option endpoint_host '67.213.221.9'
	option endpoint_port '1443'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'

config device
	option name 'wg'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '52'
	option name 'eth0.52'
	option mtu '1500'
	option macaddr 'DC:A6:32:19:CE:DF'
	option txqueuelen '1000'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-lan-wg'
	list ports 'eth0.52'
	option bridge_empty '1'
	option ipv6 '0'
	option mtu '1500'
	option macaddr 'DC:A6:32:19:CE:DF'
	option txqueuelen '1000'

config interface 'LAN_WG'
	option proto 'static'
	option device 'br-lan-wg'
	option ipaddr '192.168.52.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.52.255'

this is my /etc/config/firewall file

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan'
	list network 'lan'

config zone
	option name 'lan_wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'LAN_WG'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wg'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	option name 'ovpn'
	list network 'OVPN'

config rule
	option name 'Allow-OpenVPN'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'ovpn'

config forwarding
	option src 'lan'
	option dest 'ovpn'

config zone
	option name 'wg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg'

config forwarding
	option src 'lan_wg'
	option dest 'wg'

The gateway is invalid and not necessary for the lan interface.
Having maint interface on dhcp protocol is wrong, as it might override the gateway from wan. At the very least filter pulling the gateway from maint or add a higher metric.
Other than that you are not routing the allowed networks in WG.
Since you have multiple exit points, you need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.
1 Like

Hi Trendy,
Thank you for your reply.
I removed the erroneous gateway assignment from the LAN interface.
As for the conflict between the maint and wan for the gateway, I am not quite following what you are saying....

Is that so the OpenVPN and Wireguard instances correctly look for the WAN on the correct interface? I was searching for, but could not find a way to direct an OpenVPN instance to use a specific interface for its WAN. I just assumed that it looked for it by name???? But in any case I suppose it could still (inappropriately) find the WAN from the MAINT interface on my network.

How is the preferred method to force OpenVPN and Wireguard it to use the WAN interface???

Also, what is the optimal / recomended way to implement the maintenance interface?

Thanks!

John .....

1 Like

Is maint providing internet to the OpenWrt? If not switch it to static protocol without gateway. If yes, assign a proper metric.

1 Like

Hello Trendy,
I made the change to the MAINT interface as you recommended, and also referenced the tutorial torguard openwrt wireguard client that you and directnupe collaborated on from May of 2019.

I found the problem with my Wireguard instance, which is actually an un-updated change in the TorGuard configuration file. I learned about it only after I contacted them for support.

Basically, the TorGuard config file generator is incorrect.

In the TorGuard config file, and in your tutorial, the setting

list allowed_ips '0.0.0.0/0'

has changed for the TorGuard carrier.
The updated setting is

list allowed_ips '0.0.0.0/1, 128.0.0.0/1'

Thanks again for all your help!

John ....

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.