Mullvad Wireguard: no internet connection (DNS issue?)

Hello,

I am running a dual router setup (Internet <--> ISP router <-lan-> OpenWrt), with OpenWrt 21.02.1 r16325-88151b8303) on a Linksys WRT3200ACM, and I failing to get Mullvad Wireguard to work on the opewrt router.

I followed the Mullvad Instructions, but unfortuately they a little bit older version of openwrt and the option in the UI are slighly different to the current version, so I am not 100% certain I got everything right.

I found this other thread here Mullvad WireGuard: router has internet, PC doesn't?, but unfortunately that doesn't help as my issue seems to be related to something else.

Problem description:
the router has no internet at all (it was working before setting up Wireguard).

Diagnostics

• The router timezone is set to my local timezone, and syncs via NTP. The router system time is correct.

root@OpenWrt:~# curl https://api.mullvad.net/wg/ 
curl: (7) Failed to connect to api.mullvad.net port 443 after 1068 ms: Host is unreachable

IPv4 Ping
PING openwrt.org (139.59.209.225): 56 data bytes
ping: sendto: No error information

IPv4 Traceroute
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1traceroute: sendto: No error information


NSlookup
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

dmesg

Mon Jan 31 22:16:57 2022 daemon.err odhcp6c[3007]: Failed to send SOLICIT message to ff02::1:2 (Address not available)
Mon Jan 31 22:16:57 2022 daemon.err odhcpd[2123]: Failed to send to ff02::1%lan@br-lan (Address not available)
Mon Jan 31 22:16:58 2022 daemon.notice netifd: WGINTERFACE (2578): Try again: `de5-wireguard.mullvad.net:51820'. Trying again in 1.00 seconds...

Here is my config

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda1:e2fc:b39b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'wan'
        option macaddr '62:38:e0:c5:32:d0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key '****'
        option listen_port '51820'
        option force_link '1'
        list addresses '10.67.66.169'

config wireguard_WGINTERFACE
        option public_key '****'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option endpoint_host 'de5-wireguard.mullvad.net'
        option persistent_keepalive '25'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'WGZONE'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.64.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

I recently set up mullvad and have pretty decent results. Here are my settings that may help you out.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ddb3:216f:1a19::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth2'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip4table '1'
	option ip6table '1'
	option ipaddr '192.168.1.1'
	option device 'br-lan'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.64.0.1'
	option ip4table '2'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '10.64.0.1'
	option sourcefilter '0'
	option ip6table '2'

config interface 'Mullvad'
	option proto 'wireguard'
	option force_link '1'
	option listen_port '51820'
	option private_key $my_private_key
	list addresses $my_ipv4_address
	list addresses $my_ipv6_address

config rule 'lan_wan'
	option lookup '2'
	option priority '40000'

config rule6 'lan_wan6'
	option lookup '2'
	option priority '40000'

config wireguard_Mullvad
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option description 'mullvad'
	option public_key $my_public_key
	option endpoint_host $my_endpoint

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	option masq6 '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled ''\''0'\'''

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wireguard'
	option input 'REJECT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	option output 'ACCEPT'
	list network 'Mullvad'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '10.64.0.1'
	option confdir '/tmp/dnsmasq.d'
	option strictorder '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	list dhcp_option '6,10.64.0.1'
	option force '1'
	option ra 'server'
	list ra_flags 'none'
	option ra_default '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Thanks you - will try this out and report back.

No, I can't get it to work

I still see this in the syslog (although I'm not certain whether this is related to my issue or not)

Wed Feb  2 01:20:27 2022 daemon.err odhcp6c[5734]: Failed to send SOLICIT message to ff02::1:2 (Address not available)

The Wireguard interface (named WGINTERFACE ) is up. It's just that no packets are routed through it.

Snapshot_2022-02-02_012505_192.168.0.11004×631 77 KB

and when I do a ping openwrt.org I get a "bad hostname".

My network topology is

 Internet <--> ISP router <--lan1 : wan --> OpenWrt

Any idea how I can further troubleshoot this?

This is what I have.

image1307×1241 174 KB

Perhaps you aren't forwarding the DNS like your topic's title suggests?

image1277×973 85.1 KB

image1216×1257 135 KB

image1215×1115 105 KB

image1270×693 67.4 KB

image1256×1236 115 KB