May 2024 Update: How to create wireguard tunnel with nordvpn on OpenWRT 22.03

Hey everyone,

I have been working on this for a while. I wanted to create a wireguard tunnel to nordvpn servers. I will provide two ways to achieve the result. Option number two is optimal because I am able to create a private wireguard server that allows me to connect to the local subnet that is behind nordvpn. This will allow me to create a subnet that is protected by nordvpn. I can then access this subnet through my own private wireguard server anywhere in the world. So here is the process:

Setup (The setup will be the same for both option 1 and option 2)

1. Install packages

sudo apt install wireguard curl jq net-tools

2. Install nordvpn on linux machine

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

3. Login into nordvpn

sudo nordvpn login

4. Change connection protocol to nordlynx

sudo nordvpn set technology nordlynx

5. connect to your preferred server

`sudo nordvpn c nl #to connect Nederland as an example`

6. Obtain ip address of nordlynx interface (should be similar to 10.5.0.2)

ifconfig nordlynx

7. Obtain nordlynx configuration public-key and private-key

sudo wg show nordlynx private-key

sudo wg show nordlynx public-key

8. Enter this command to obtain the peers (nordvpn servers) public key

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

9. Install these software packages on Openwrt
   kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools
   
   

   image1920×1388 279 KB
10. Create network interface that connects to nordlynx wireguard server
    
    

    image1804×360 22.6 KB
11. Add your nordlynx public and private key
12. Allowed ip (10.5.0.2 - found earlier)
13. Route allowed ips checked
14. Persistent keep alive 25s
    
    

    image1804×1442 236 KB
15. Create a firewall zone to assign the interface to
    
    

    image1808×442 47.9 KB
16. Create peer with the public key of the nordvpn server you connected to and set allowed ips to 0.0.0.0/0
    
    

    image1800×1444 271 KB
17. Set endpoint host to external ip address of nordvpn server
    
    

    image1798×536 47.3 KB
18. Set endpoint port to 51820
19. Persistent keep alive to 25 seconds
20. Create a new interface with static ip address range
21. Create a new firewall zone to attach the new interface to
22. Create advanced DHCP settings to make sure DNS is through nordvpn
    
    

    image1800×1014 83 KB
23. Create device that is attached to a vlan or ethernet port and then assign this device to your subnets interface
    
    

    image1800×658 56.9 KB
    
    

*I will now propose two options on how to route traffic from the interface with the static ip address (i.e. 10.20.40.1/24) to the wireguard vpn tunnel. Option 1 is used in case option 2 does not work. Option 1 forces the traffic from interface subnet 10.20.40.1/24 to be routed through the tunnel. Correct firewall rules should allow the traffic to pass through the zones but it does not always work. I think option 1 did not work with similar firewall settings becasue I did not click "route allowed ips" in the peers section of the wireguard interface.

image966×128 5.85 KB

Option 1

1. Install pbr and luci-app-pbr in openwrt packages
   
   

   image1938×798 75.7 KB
2. Create a new policy that routes your static ip address 10.20.40.1/24 to wg0 (wireguard tunnel)
   
   

   image1798×1032 46.8 KB
3. Create firewall settings that reflects below:
   
   

   image1880×208 26.3 KB
   
   
   

   image1792×1432 252 KB
   
   
   

   image1804×1438 261 KB
4. Enjoy traffic through the wireguard tunnel

Option 2

1. The firewall zone with the subnet interface should have 'covered networks' as the interface. It should then forward to the wireguard tunnel destination zone
2. The firewall zone should have allow forward from source zone (subnet interface). Then it should not have to forward anywhere else. Covered networks is the wireguard tunnel interface. Masquerading and MSS clamping should be enabled.

Please provide revisions in the comments

Sources:

1. https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3 (how to obtain wireguard credentials)
2. [Instruction] Config NordVPN wireguard (Nordlynx) on OpenWrt (configure nordvpn wireguard on openwrt - my tutorial goes into more depth on how to setup the wireguard rules)

Given that 22.03 officially went EOL as of the end of April 2024, I'd recommend testing your recipe against 23.05. Make adjustments if necessary and edit the title accordingly.

Nordvpn provides radically different setup guide.

When I use option 2 my guest network is always messed up. Whenever I click route addresses on wireguard peer and set allowed ip to 0.0.0.0/0 my guest network quits working. Anyone know why this is?

I can confirm that option 2 works on openwrt 23. Didn't even realize I was that far behind in updates.

We'd need to see your configuration after you've setup option 2.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

• After obtaining the keys and IP addresses, be sure to disable NordLynx on the laptop. There can only be one active connection at a time with the same key.
• Only the private key field needs to be transferred over to the wireguard interface, and the server's public key installed as the peer. Anyone who knows a private key can derive the corresponding public key from it any time later. The reverse of course is not true. When you return to the page you will find the private key is obscured and the public key field has been populated.
• Do not check Route Allowed IPs when using PBR. PBR will install routes as needed.

@mk24 In regard to do not check "route allowed IPs". Every time I check that box it makes my default gateway as the wg0 interface. I am unable to use my guest and IOT network consequentially. However, I am unable to successfully setup the wg0 interface without it setting allowed ip as "0.0.0.0/0" and click route allowed ips. So im either forced to have my vpn network working or my guest network working. Can you help me understand what is going on?

As I understand it, you have to add two 0.0.0.0 routes in PBR, with the source controlling which one will be used. I have not actually done this in practice so don't say I'm an expert with PBR. Also you need to be sure that the encrypted packets from the Wireguard kernel process to the VPN server will always be routed into the regular wan. These packets will have the source IP of the regular WAN interface.

Can we see your config, please?

Hey everyone,

after lots of testing. I have realized that you should not click "create routes for allowed ips". When you set allowed ip to 0.0.0.0/0 and then wireguard app creates a route, this will make a new default gateway. This will indeed mess up your routing options in openwrt. I would set allowed ips to 0.0.0.0/0 and then go with option 1 using pbr. Option one will create a route from 10.20.40.1/24 (vpn subnet) to wg0 (nordlynx wireguard interface) with pbr. Make sure to set the vpn subnet dhcp options to 6,103.86.96.100,103.86.99.100. The wg0 interface should use those custom dns servers for nordvpn. Please reply if you have questions.

I can confirm that this works for 23.05

Shall we edit the title accordingly?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.