Lan traffic is not accessing the wireguard route

Hi,

I am trying to install the wireguard client onto my openwrt router to route all traffic to a windscribe.com VPN.

I have successfully installed the new interface and following various tutorials I have managed to get the network interface installed, firewall rules set and a static route added. However, it will still not run the LAN traffic over the VPN.

I have searched the forums but the posts are all for far more complex situations than mine so are not applicable.

Here are the outputs from the router, can anyone offer any guidance please?

 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.0.1/24'
	option gateway '192.168.2.20'
	option broadcast '192.168.2.255'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'
	option mtu6 '1500'

config interface 'ovpn_wan_free'
	option proto 'none'
	option metric '20'
	option device 'tun0'
	option defaultroute '0'

config route
	option interface 'ovpn_wan_free'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '30'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '1'
	option name 'lan3.1'
	option mtu '1500'

config interface 'wan_fbx'
	option proto 'static'
	option metric '10'
	option device 'wan'
	list ipaddr '192.168.2.20/24'
	option gateway '192.168.2.1'
	option dns_metric '10'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config device
	option name 'eth0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key '(Hidden)'
	list addresses '100.85.33.56/32'
	list dns '10.255.255.3'
	option defaultroute '0'

config device
	option name 'tun1'

config wireguard_Wireguard
	option description 'Windscribe-Manchester-United.conf'
	option public_key 'oeqDhAeoxw1g/6cKq/fo4ubgssbwhO3K2Nkmn6JVhg8='
	option preshared_key 'TGV8zYy3cZxCk6QlMC/djLzFyB491DnT7RnI3ZSAjVs='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'man-126-wg.whiskergalaxy.com'
	option endpoint_port '65142'
	option route_allowed_ips '1'

config device
	option name 'tun0'
	option mtu '1500'
	option txqueuelen '500'
	option mtu6 '1500'

config route
	option interface 'Wireguard'
	option metric '20'
	option target '0.0.0.0/0'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	option input 'REJECT'
	list network 'ovpn_wan_free'
	list network 'wan_fbx'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Wireguard'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'wan'
	option dest 'lan'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.20/24 brd 192.168.2.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: Wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 100.85.33.56/32 brd 255.255.255.255 scope global Wireguard
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev wan  metric 10 
default dev Wireguard scope link  metric 20 
10.0.0.0/24 dev br-lan scope link  src 10.0.0.1 
192.168.2.0/24 dev wan scope link  metric 10 
local 10.0.0.1 dev br-lan table local scope host  src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local scope link  src 10.0.0.1 
local 100.85.33.56 dev Wireguard table local scope host  src 100.85.33.56 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.2.20 dev wan table local scope host  src 192.168.2.20 
broadcast 192.168.2.255 dev br-lan table local scope link  src 10.0.0.1 
broadcast 192.168.2.255 dev wan table local scope link  src 192.168.2.20 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~# 

Remove these two lines from your lan interface:

Remove this:

Remove this:

I have commented out the lines as requested and rebooted but it is still not sending the traffic over the WireGuard VPN. When I run the listing commands, the "network" file does not appear and there are some error messages at the end. I am not sure why. I commented out the lines from the files and rebooted and now those commented out lines are not shown.

I have appended the network file content via a cat listing after the main Preformatted text entry.

Should I run any other commands to get information for you?

root@OpenWrt:/etc/config# ubus call system board; \
> > uci export network; uci export firewall; \
> > head -n -0 /etc/firewall.user; \
> > iptables-save -c; \
> > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	option input 'REJECT'
	list network 'ovpn_wan_free'
	list network 'wan_fbx'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Wireguard'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

-ash: -n: not found
-ash: -c: not found
-ash: -4: not found
default via 192.168.2.1 dev wan  metric 10 
10.0.0.0/24 dev br-lan scope link  src 10.0.0.1 
89.238.135.134 via 192.168.2.1 dev wan  metric 10 
192.168.2.0/24 dev wan scope link  metric 10 
local 10.0.0.1 dev br-lan table local scope host  src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local scope link  src 10.0.0.1 
local 100.85.33.56 dev Wireguard table local scope host  src 100.85.33.56 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.2.20 dev wan table local scope host  src 192.168.2.20 
broadcast 192.168.2.255 dev wan table local scope link  src 192.168.2.20 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:/etc/config# 

Here is the network file:

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.0.1/24'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'
	option mtu6 '1500'

config interface 'ovpn_wan_free'
	option proto 'none'
	option metric '20'
	option device 'tun0'
	option defaultroute '0'

config route
	option interface 'ovpn_wan_free'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '30'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '1'
	option name 'lan3.1'
	option mtu '1500'

config interface 'wan_fbx'
	option proto 'static'
	option metric '10'
	option device 'wan'
	list ipaddr '192.168.2.20/24'
	option gateway '192.168.2.1'
	option dns_metric '10'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config device
	option name 'eth0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key 'KHjgLVVHeREyfK8YJwG0D9C23a/q/HO1QQ1ESWh+20s='
	list addresses '100.85.33.56/32'
	list dns '10.255.255.3'
	option defaultroute '0'

config device
	option name 'tun1'
	option mtu '1500'
	option txqueuelen '500'
	option mtu6 '1500'

config wireguard_Wireguard
	option description 'Windscribe-Manchester-United.conf'
	option public_key 'oeqDhAeoxw1g/6cKq/fo4ubgssbwhO3K2Nkmn6JVhg8='
	option preshared_key 'TGV8zYy3cZxCk6QlMC/djLzFyB491DnT7RnI3ZSAjVs='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'man-126-wg.whiskergalaxy.com'
	option endpoint_port '65142'
	option route_allowed_ips '1'

config device
	option name 'tun0'
	option mtu '1500'
	option txqueuelen '500'
	option mtu6 '1500'

root@OpenWrt:/etc/config#

If it still is not working try the following

Remove the option defaultroute '0':

Remove the following:

Reboot and show output of:

ip route show
wg show

Hi

I am not sure which it was that made it work but it is now passing all traffic through wireguard. Speeds are excellent compared with OpenVPN but I am still experiencing a lot of buffering on the streaming service which I will investigate elsewhere.

Just for completeness, here are the two requested outputs:

root@OpenWrt:~# ip route show
default dev Wireguard scope link 
default via 192.168.2.1 dev wan  metric 10 
10.0.0.0/24 dev br-lan scope link  src 10.0.0.1 
84.252.95.132 via 192.168.2.1 dev wan  metric 10 
192.168.2.0/24 dev wan scope link  metric 10 
root@OpenWrt:~# wg show
interface: Wireguard
  public key: 3lGtWI+CvvrewcDv8UWA3HNSS1ghz0dqV1XxXHOHxSU=
  private key: (hidden)
  listening port: 52656

peer: oeqDhAeoxw1g/6cKq/fo4ubgssbwhO3K2Nkmn6JVhg8=
  preshared key: (hidden)
  endpoint: 84.252.95.132:65142
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 46 seconds ago
  transfer: 6.06 GiB received, 585.30 MiB sent
root@OpenWrt:~# 

Thank you all for your help.

Geoff

Streaming problems with VPN can be caused by MTU being too high.

Lower MTU, start with 1280 and work your way up

Thank you egc.

There appears only to be an MTU setting on the wireguard interface, not on the LAN or WAN interfaces. Is that right?

I have set it to 1280 and will test and increase slowly . What increments should I increase by each time I change (10, 20, 50)?

What indication will I get? Just that the streaming is less stuttering? I assume I am trying to get the highest MTU that works well?

Excuse me for not understanding all this!

Geoff

Indeed you have to set the MTU on the WG interface.
The highest which works gives the best throughput.

Standard is 1420 (or 1412 if you are using PPPoE) but for IPv4 only you could go as high as 1440 (1432).

If have heard from users needing to go even lower than 1280 but start with that and see if the stuttering is better, increment with steps of 40 and if the stuttering returns lower with 20 :slight_smile:

Oh dear, please help!

I was amending the mtg through the network file and suddenly the router went haywire and (I think,) crashed. I was in another room so could not see exactly what happened.

I could not get it to connect over wifi as it kept telling me that there was no internet connection.

Uplugged it and brought it to my Mac and tried to connect directly over a LAN cable but it would not make a connection.

I unplugged it again and suddenly I could connect to the wifi (so disconnected the cable) but although it did not tell me there was no internet, I could not get through. I did manage to get to Lucia and discovered that some of the interfaces are missing and that some (most) of my installed software has disappeared.

ssh into the box and reading the network file, half of it is missing. Any ideas on what has happened and is it possible to recover the last network file?

Feeling miffed.

Actually, it looks like it has reverted to an old network file from some months ago! If that is the case, will my most recent version of the file still be on the router?

I guess I will have to reinstall all the software?

I have located and installed my last back up which was just before I started on the wireguard installation so I am back at square one.

Good news is the OpenVPN is all there and working. I will re-install the wireguard software and get back to where I was and then come back to this post.

Panic over. Wireguard installed and it is all running again so I am back to test the MTU. Apologies for disturbing your peace.

1 Like