I have OpenWrt setup on a QNAP QGD-1600P and all is running greatly except for this one final thing I want to do with it, networking wise.
I have a 2 Wireguard interfaces, a Mullvad client ("Mullvad") and a Wireguard Server ("wgserver"). My goal is to have all LAN traffic sent through Mullvad to put all devices behind a VPN as well as having a server to have non-LAN devices (like my phone) connect to my network, to access LAN resources, and then exit through the Mullvad interface. A sort-of multihop type of setup.
Currently, if the Mullvad interface is up, my phone will not connect to the server (while on LTE, it will connect if on the same LAN). If I take down the Mullvad interface and go through the WAN, my phone will connect to the server. Handshake, pass traffic, does it all! While Mullvad interface is up, I can still see going up (Rx and Tx) and an endpoint populates pointing to my Phone's IP on the wgserver interface.
From what I understand, this is a routing issue and I have PBR installed to attempt to remedy what I'm trying to do, but I think I must be doing it wrong. Viewing TCP dumps, I can see my phone sending the UDP packet. I think the issue arrises when it's the Mullvad interface that responds to the packet instead of the WAN interface.
My policy could also be configured incorrectly as when it is enabled, I can see my phone sending the packet but no response from either the Mullvad or the WAN interface.
TCP dump with policy enabled:
PHONEip.14048 > WANip.51820: [udp sum ok] UDP, length 148
PHONEip.14048 > WANip.51820: [udp sum ok] UDP, length 148
TCP dump with policy disabled:
PHONEip.14066 > WANip.51820: [udp sum ok] UDP, length 148
MULLVADip.51820 > PHONEip.14066: [bad udp cksum 0xee5b -> 0x709a!] UDP, length 92
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:d553:0195::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'Mullvad'
option proto 'wireguard'
option private_key 'private key'
list addresses 'mullvadip/32'
config wireguard_Mullvad
option public_key 'public key'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'WAN ip'
option persistent_keepalive '25'
config wireguard_VPN
option route_allowed_ips '0'
config wireguard_wgserver
option description 'Phone'
option public_key 'public ip'
list allowed_ips '10.6.0.2/32'
option route_allowed_ips '1'
config interface 'wgserver'
option proto 'wireguard'
list addresses '10.6.0.1/24'
option private_key 'private key'
option listen_port '51820'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'WG lan wgserver'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option forward 'REJECT'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Mullvad'
option output 'ACCEPT'
option network 'Mullvad'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'Mullvad'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option target 'ACCEPT'
option src '*'
option dest 'lan'
option proto 'udp'
option dest_ip '192.168.1.1'
option dest_port '51820'
option name 'WGserver'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option src_ipset '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_protocol_column '1'
option webui_enable_column '1'
option enabled '1'
option webui_sorting '1'
option webui_chain_column '1'
option verbosity '1'
option strict_enforcement '1'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'wgserver'
option src_port '51820'
option proto 'udp'
option chain 'OUTPUT'
option enabled '0' # currently disabled, easily enabled.