Lost wifi internet access after setting up wireguard

dairymilkbatman · July 13, 2022, 4:23pm

Trying to setup wireguard with luci. It worked, but only for wired devices. All wireless devices have no internet access. What did I do wrong in the interfaces?

I searched until my eyes burned, hope I didn't miss - what seems to be an easy fix.
I have a hunch that it is because I have a rt3200 connected to my starlink router which I guess is a bridge?

Many thanks!

psherman · July 13, 2022, 4:32pm

configs?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

dairymilkbatman · July 13, 2022, 5:26pm

I was just looking for the commands!
And thanks for explaining like I'm 5, much appreciated !


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.x.x'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd27:9bb0:8566::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'
	list dns '100.64.0.7'
	option metric '20'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'redacted'
	list addresses '10.64.1.2/32'
	list addresses 'fc00:bbbb:bbbb:bb01::1:101/128'
	option peerdns '0'
	list dns '100.64.0.7'
	option metric '10'

config wireguard_wg0
	option description 'Netherlands'
	option public_key 'redacted'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option route_allowed_ips '1'
	option endpoint_host '185.65.134.xxx'
	option endpoint_port '51820'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'GB'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'water proof tea bags'
	option encryption 'sae-mixed'
	option key 'redacted'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'vpn'

root@OpenWrt:~#

trendy · July 13, 2022, 6:08pm

There is no need for the wan interface to be a bridge. However the lan interface must be a bridge to include the wifi as well.

dairymilkbatman · July 13, 2022, 7:41pm

Thanks for your input trendy

Sorry I do not comprehend; as far as I can tell from looking through luci - unless I am mistaken, the WAN interface is listed as a switch port wan, and the LAN interface is a bridge (br-ian)???

trendy · July 14, 2022, 5:51am

I am not sure I understand your question, however from the output 3 posts earlier, the wan interface shows as bridged.
The wireless users lost their internet only? Everything else works?

dairymilkbatman · July 14, 2022, 6:16am

An error on my part because I was looking at this. Only just starting to use CLI, and I can now see it says 'wan'. What should it be?
Yep, only wifi users have issues. My wired desktop was unaffected.
I followed the tutorial from this dude btw:

trendy · July 14, 2022, 6:25am

wan is correct, however it should not be bridged.

Alright, but what works for the wifi clients?

Do they connect to the wifi?
Do they get IP from DHCP?
Can they ping the gateway?
Can they resolve a hostname?

We have guides in the wiki.

dairymilkbatman · July 14, 2022, 6:34pm

I really can't figure out where luci shows that WAN is bridged and how to change it. By the way; these are all default settings - I did not set WAN to bridged.

I didn't follow the wiki because thought it best to set it up via luci until I am competent.

dairymilkbatman · July 14, 2022, 6:34pm

I'll gather the data and report back

pavelgl · July 14, 2022, 7:10pm

Masquerading on the vpn zone is not enabled so it's hard to believe there is internet access for anything other than the router itself.

dairymilkbatman · July 15, 2022, 8:22am

Pinging from luci I am getting traceroute: bad address 'openwrt.org' and ping: bad address 'openwrt.org' from the wired desktop, even with the vpn interface disabled.
Pinging from terminal is fine.

Made sure masquerading is checked in zone settings.

Wireless devices connect to WiFI.
Unfortunately I only have a tv and a degoogled android on the wireless so no access to CLI. I did download a terminal emulator and could not SSH into router. (Not sure about the apps' functionality though)

I can ping the wireless devices from the desktop (wired)

I'll see if I can figure a way to ping from a wireless device here

dairymilkbatman · July 15, 2022, 8:33am

How do I change WAN from bridged to ...whatever it should be?

Note that if i use DNS servers advertised by peer and do not enter my own from my vpn, everything is working. Wireless devices get internet and everything is behind wireguard.

trendy · July 15, 2022, 8:43am

Remove from wan interface:

That is expected. You are using globally a nameserver which is reachable only when the vpn is up. If the vpn goes down, you will not be able to use it.