Hello, I installed Openwrt on Pizero W and it all works, except my Mullvad wireguard . I tried many solutions, also many guides and instructions, but couldnt solve the problem. I also tried it on my RPI 3b+ with the same result. On my Pizero W with Raspap everything is fine. Also on my laptop, mobile and so on. Maybe someone can push me in the right direction or have some clues.
Thank you.
My data:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd95:559d:b1da::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'wlan0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.111'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '1.1.1.1'
config device
option name 'eth0'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'YPavLJtPjxIZQ5uL5KyTOQ5C/kntDvNf4TP77L1o7FU='
list addresses '10.72.60.174/32'
list addresses 'fc00:bbbb:bbbb:bb01::9:3cad/128'
list dns '100.64.0.63'
config wireguard_wg0
option description 'de-fra-wg-004.conf'
option public_key 'tzYLWgBdwrbbBCXYHRSoYIho4dHtrm+8bdONU1I8xzc='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '185.209.196.74'
option endpoint_port '51820'
option route_allowed_ips '1'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
Hello, thank you for replying. Alos with Masquerading didnt work. My intention was build up a AP like Raspap. So we can use more connection than five, which Mullvad support. I use before Openwrt, but never as AP. At the attachment i have my RPI 3b+ data.`
type or paste code here
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
config rule
option name 'Wireguard'
option src 'wan'
option src_port '51820'
option dest 'vpn'
option target 'ACCEPT'
root@OpenWrt:~# cat "/etc/config/network"
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd84:a7c0:840b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.11'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '1.1.1.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
option peerdns '0'
list dns '1.1.1.1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'YP2q7+mT9eNe7itcQjO4Co7UJvTAYXX2WcgY8ZKpRmg='
list dns '100.64.0.63'
list addresses '10.71.176.161/32'
list addresses 'fc00:bbbb:bbbb:bb01::8:b0a0/128'
config wireguard_wg0
option description 'de-fra-wg-008.conf'
option public_key 'TOS3U/dJPzPnk/qsAx6gHxRVIC2wI5l+tAWaJY2mXzY='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '185.209.196.78'
option endpoint_port '51820'
option route_allowed_ips '1'
````Preformatted text`
That is not good, it points to network problem or wrong keys etc.
Are you sure you have a network connection from this router, if not disable WG , reboot the router, SSH into the router and do a simple ping test : ping 8.8.8.8
Make sure the router has the correct time
Make sure this WG config is indeed working by testing the same config from another device (e.g. phone)
Thank you for replying. I already disabled the wireguard interface and could ping 1.1.1.1, or 9.9.9.9. I also restart my Mainrouter.Check the keys and generate new keys. Than switch the Mullvad connection to other countries, also check with my Raspap Pizero if this possible to connect. Many many other tests, but cant find the problem. Do you have any idea, or maybe some working guides. I tried many of the, also in Youtube. Not one of them solve it.
Wireguard uses the public key to identify a peer. Keys that were issued to you by the service can't be configured into multiple devices unless you are sure that only one will ever be online at the same time.
Setting a persistent_keepalive will cause Wireguard to attempt to negotiate a handshake immediately instead of waiting until there is an attempt to send traffic through the tunnel. This is recommended for troubleshooting. This will also allow you to see connection attempts with tcpdump.
It is not necessary to add an allow incoming port rule to the firewall for this use case, since your Wireguard is only making outgoing connections.
The time is my local time, means is correct, the main route has the ip 192.168.1.1, so my Raspberry is bridges with network cable and has the br-lan ip 192.168.1.111.
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Openwrt-Spot-5G'
option encryption 'psk2'
option isolate '1'
option key 'XXXXXXX'
option wpa_disable_eapol_key_retries '1'
I know with Mullvad vpn you can use five single devices, but its not a problem to share a single connection, like Raspap.
i change the ip for test reasons, but same result. Anyway maybe i install it again from the scratch with another version and also with a squash and snapshot version and come back then.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I have 2 Pizero W. One with Openwrt and the other with Raspap. Both with Mullvad VPN. Raspap VPN work fine, but Openwrt not. The Openwrt installation is standart and include wireguard and curl. No any kind of add on software or modification.
I also send an Ping to 1.1.1.1 with disabled and enabled Wireguard VPN.
Tha Hardware adresses below is modificated, but should shown the connections.
Thank you.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "ARMv6-compatible processor rev 7 (v6l)",
"model": "Raspberry Pi Zero W Rev 1.1",
"board_name": "raspberrypi,model-zero-w",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "bcm27xx/bcm2708",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd95:559d:b1da::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'wlan0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.111'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '1.1.1.1'
config device
option name 'eth0'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redact='
list addresses '10.72.60.174/32'
list addresses 'fc00:bbbb:bbbb:bb01::9:3cad/128'
list dns '100.64.0.63'
option disabled '1'
config wireguard_wg0
option description 'de-fra-wg-004.conf'
option public_key 'redact='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '185.209.196.74'
option endpoint_port '51820'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/20300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '1'
option band '2g'
option htmode 'HT20'
option country 'CN'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Openwrt-Pizero'
option encryption 'psk2'
option key 'redact'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'sta'
option ssid 'redact'
option encryption 'psk2'
option key 'redact'
option network 'wan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
root@OpenWrt:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=51 time=274.998 ms
64 bytes from 1.1.1.1: seq=1 ttl=51 time=274.976 ms
64 bytes from 1.1.1.1: seq=2 ttl=51 time=274.921 ms
64 bytes from 1.1.1.1: seq=3 ttl=51 time=274.958 ms
64 bytes from 1.1.1.1: seq=4 ttl=51 time=274.963 ms
64 bytes from 1.1.1.1: seq=5 ttl=51 time=274.966 ms
64 bytes from 1.1.1.1: seq=6 ttl=51 time=274.968 ms
^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 274.921/274.964/274.998 ms
root@OpenWrt:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
76 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr BA:27:EB:F2:6A:55
inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::b827:ebff:fef2:6a25/64 Scope:Link
inet6 addr: fd95:559d:b1da::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
TX packets:8785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:825808 (806.4 KiB) TX bytes:2356639 (2.2 MiB)
eth0 Link encap:Ethernet HWaddr 00:E0:4C:36:17:0E
inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe36:17ee/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:277750 errors:0 dropped:243934 overruns:0 frame:0
TX packets:3272 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13449289 (12.8 MiB) TX bytes:546203 (533.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:314 errors:0 dropped:0 overruns:0 frame:0
TX packets:314 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28568 (27.8 KiB) TX bytes:28568 (27.8 KiB)
phy0-ap0 Link encap:Ethernet HWaddr BA:27:EB:F2:6A:55
inet6 addr: fe80::b827:ebff:fef2:6a25/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6061 errors:0 dropped:0 overruns:0 frame:0
TX packets:9368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:825808 (806.4 KiB) TX bytes:2495995 (2.3 MiB)
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.72.60.174 P-t-P:10.72.60.174 Mask:255.255.255.255
inet6 addr: fc00:bbbb:bbbb:bb01::9:3cad/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0 dropped:126 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2812 (2.7 KiB)
Alternatively if you do not want all traffic going there, you can just use the socks where you need. That is usually the better setup if you just want to access content from some sites instead of routing everything trhu the slow mullvad pipe.
thanks again to helping me. Yes im in China. Of course Mullvad blocked, but the VPN works fine. I use it a long while.
As I mentioned before. Today installed my RPI 3b+ new with Openwrt 23.05.0, without any updates. Just with wireguard software. Then installed like before Mullvad configs, but again no VPN. I have another Server at blu1 with Ubuntu-Server on it, so i installed there Wireguard-Server, generate the key and config with it the RPI and i got the VPN connection. So the problem seems to be with the Mullvad VPN, but what its not to be understand, i used Mullvad-VPN keys with Raspap and i also got the Mullvad VPN working.
Here the data:
@OpenWrt:~# wg show
interface: wg root0
public key: redact=
private key: (hidden)
listening port: 40215
peer: redact=
preshared key: (hidden)
endpoint: 178.254.45.XXX:53438
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 23 seconds ago
transfer: 348 B received, 516 B sent
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Raspberry Pi 3 Model B Plus Rev 1.3",
"board_name": "raspberrypi,3-model-b-plus",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "bcm27xx/bcm2710",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:355a:2f12::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.31'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '1.1.1.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redact='
list addresses '10.66.66.2/32'
list addresses 'fd42:42:42::2/128'
list dns '1.1.1.1'
list dns '1.0.0.1'
config wireguard_wg0
option description 'wg0-client-rpi.conf'
option public_key 'redact='
option preshared_key 'redact='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host '178.254.45.XXX'
option endpoint_port '53438'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '36'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option network 'wan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
root@OpenWrt:~# wg show
interface: wg0
public key redact=
private key: (hidden)
listening port: 40215
peer: redact=
preshared key: (hidden)
endpoint: 178.254.45.XXX:53438
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 2 minutes, 31 seconds ago
transfer: 2.79 KiB received, 3.60 KiB sent
root@OpenWrt:~#
