Hello,
I am running a dual router setup (Internet <--> ISP router <-lan-> OpenWrt), with OpenWrt 21.02.1 r16325-88151b8303) on a Linksys WRT3200ACM, and I failing to get Mullvad Wireguard to work on the opewrt router.
I followed the Mullvad Instructions, but unfortuately they a little bit older version of openwrt and the option in the UI are slighly different to the current version, so I am not 100% certain I got everything right.
I found this other thread here Mullvad WireGuard: router has internet, PC doesn't?, but unfortunately that doesn't help as my issue seems to be related to something else.
Problem description:
the router has no internet at all (it was working before setting up Wireguard).
Diagnostics
- The router timezone is set to my local timezone, and syncs via NTP. The router system time is correct.
root@OpenWrt:~# curl https://api.mullvad.net/wg/
curl: (7) Failed to connect to api.mullvad.net port 443 after 1068 ms: Host is unreachable
IPv4 Ping
PING openwrt.org (139.59.209.225): 56 data bytes
ping: sendto: No error information
IPv4 Traceroute
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
1traceroute: sendto: No error information
NSlookup
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
dmesg
Mon Jan 31 22:16:57 2022 daemon.err odhcp6c[3007]: Failed to send SOLICIT message to ff02::1:2 (Address not available)
Mon Jan 31 22:16:57 2022 daemon.err odhcpd[2123]: Failed to send to ff02::1%lan@br-lan (Address not available)
Mon Jan 31 22:16:58 2022 daemon.notice netifd: WGINTERFACE (2578): Try again: `de5-wireguard.mullvad.net:51820'. Trying again in 1.00 seconds...
Here is my config
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda1:e2fc:b39b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config device
option name 'wan'
option macaddr '62:38:e0:c5:32:d0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key '****'
option listen_port '51820'
option force_link '1'
list addresses '10.67.66.169'
config wireguard_WGINTERFACE
option public_key '****'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host 'de5-wireguard.mullvad.net'
option persistent_keepalive '25'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'WGZONE'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'WGZONE'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,10.64.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'