No change in results whether policy is enabled or disabled from original post. That guide is what I primarily used to configure most of the settings to include editing the /etc/sysctl.conf.
After your commands my traffic is now passing through the WAN rather than Mullvad and my phone will still not connect.
I am confused about the policy you are referring to. Create a PBR policy? Or is that for firewall zones? The only interfaces I have to choose from in the PBR policy are WAN and Mullvad.
I am trying to keep all of my traffic going through Mullvad as well as hosting a server. OpenWrt as a Wireguard client (to Mullvad) and Wireguard server (for roaming devices i.e. my phone)
on the Wireguard client (Mullvad) is set, I am able to connect to the wgserver. The final issue, which is really just a zero-sum, none of my traffic goes through Mullvad this way.
The only observable change is that if I don't pass traffic to Mullvad, both Wireguard interfaces will handshake with their corresponding peer (Mullvad handshakes, still doesn't traverse the interface).
I've also found another post attempting the same thing, although it appears they have given up on this:
The wireguard client to Mullvad must not install the default route, but allowed IPs should be the whole internet (0.0.0.0/0)
Then with policy routing (either pbr or rules/routes) you will select which devices will go via Mullvad towards the internet.
Everything looks right and seems to add up with what you guys are saying but my LAN and my phone (connected to the wgserver interface) reveal my IP rather than Mullvad's server.
My phone connects fine and interacts with the LAN mostly as desired (except traffic passing to Mullvad) but now there seems to be an issue connecting to Mullvad. The interface will handshake but packets in and out are showing traffic being passed. Only 1-2 packets will be recieved, transmitted packets will continue to go up.
Run again the same commands to see how it looks. Also run this from the router. ping -c 10 Mullvad_Peer_IP
The 10.X.X.X IPs from Mullvad are private, so you don't need to redact them.
{
"kernel": "4.14.131",
"hostname": "OpenWrt",
"system": "Westmere E56xx\/L56xx\/X56xx (Nehalem-C)",
"model": "QEMU Standard PC (i440FX + PIIX, 1996)",
"board_name": "qemu-standard-pc-i440fx-piix-1996",
"release": {
"distribution": "OpenWrt",
"version": "18.06.4",
"revision": "r7808-ef686b7292",
"target": "x86\/64",
"description": "OpenWrt 18.06.4 r7808-ef686b7292"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:d553:0195::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'Mullvad'
option proto 'wireguard'
option private_key 'private key'
list addresses '10.70.43.89/32'
option auto '0'
config wireguard_Mullvad
option public_key 'public key'
list allowed_ips '0.0.0.0/0'
option endpoint_host '66.115.180.236'
option persistent_keepalive '25'
option endpoint_port '51820'
config wireguard_wgserver
option description 'Phone'
option public_key 'public key'
list allowed_ips '10.6.0.2/32'
config interface 'wgserver'
option proto 'wireguard'
option private_key 'private key'
list addresses '10.6.0.1/24'
option listen_port '61820'
uci: Entry not found
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '193.138.218.74'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name '1600P'
option dns '1'
option mac '26:51:1B:4E:20:FB'
option leasetime 'infinite'
option ip '192.168.1.2'
config host
option name 'ubuntu'
option dns '1'
option mac '52:54:00:37:3A:2A'
option ip '192.168.1.3'
option leasetime 'infinite'
config domain
option name 'OpenWrt'
option ip '192.168.1.1'
config domain
option name '1600P'
option ip '192.168.1.2'
config domain
option name 'Ubuntu'
option ip '192.168.1.3'
config domain
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option forward 'REJECT'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Mullvad'
option output 'ACCEPT'
option network 'Mullvad'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config rule
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '61820'
option name 'wgserver'
option enabled '1'
config forwarding
option dest 'Mullvad'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option name 'wgserver'
option network 'wgserver'
config forwarding
option dest 'Mullvad'
option src 'wgserver'
config forwarding
option dest 'lan'
option src 'wgserver'
config forwarding
option dest 'wan'
option src 'wgserver'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing
config vpn-policy-routing 'config'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_protocol_column '1'
option webui_enable_column '1'
option enabled '1'
option webui_sorting '1'
option webui_chain_column '1'
option verbosity '1'
option src_ipset '0'
option ipv6_enabled '0'
option strict_enforcement '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'wgserver'
option interface 'Mullvad'
option src_addr '192.168.1.0/24'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 'WAN IP'/26 brd 'WAN broadcast' scope global eth1
valid_lft forever preferred_lft forever
30: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
32: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.6.0.1/24 brd 10.6.0.255 scope global wgserver
valid_lft forever preferred_lft forever
default via 167.88.88.193 dev eth1 table wan
10.6.0.0/24 dev wgserver table wan proto kernel scope link src 10.6.0.1
default via 'WAN Gateway' dev eth1 proto static src 'WAN IP'
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
66.115.180.236 via 'WAN Gateway' dev eth1 proto static
'WAN Gateway'/26 dev eth1 proto kernel scope link src 'WAN IP'
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.6.0.0 dev wgserver table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev wgserver table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wgserver table local proto kernel scope link src 10.6.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 'WAN Gateway' dev eth1 table local proto kernel scope link src 'WAN IP'
local 'WAN IP' dev eth1 table local proto kernel scope host src 'WAN IP'
broadcast 'WAN broadcast' dev eth1 table local proto kernel scope link src 'WAN IP'
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32757: from all fwmark 0x10000/0xff0000 lookup wan
32766: from all lookup main
32767: from all lookup default
interface: wgserver
public key: 'public key'
private key: (hidden)
listening port: 61820
peer: 'public key'
endpoint: 'phone IP':10025
allowed ips: 10.6.0.2/32
latest handshake: 6 minutes, 55 seconds ago
transfer: 183.07 KiB received, 420.27 KiB sent
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Jun 27 2019 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Nov 10 15:32 /tmp/resolv.conf
-rw-r--r-- 1 root root 117 Nov 10 15:32 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 'ISP DNS server'
nameserver 'ISP DNS server'
nameserver 'Unfamiliar DNS server'
search hwccustomers.com
head: /tmp/resolv.*/*: No such file or directory
Ping results:
root@OpenWrt:~# ping -c 10 66.115.180.236
PING 66.115.180.236 (66.115.180.236): 56 data bytes
64 bytes from 66.115.180.236: seq=0 ttl=53 time=33.828 ms
64 bytes from 66.115.180.236: seq=1 ttl=53 time=34.783 ms
64 bytes from 66.115.180.236: seq=2 ttl=53 time=33.756 ms
64 bytes from 66.115.180.236: seq=3 ttl=53 time=33.947 ms
64 bytes from 66.115.180.236: seq=4 ttl=53 time=34.177 ms
64 bytes from 66.115.180.236: seq=5 ttl=53 time=33.768 ms
64 bytes from 66.115.180.236: seq=6 ttl=53 time=33.297 ms
64 bytes from 66.115.180.236: seq=7 ttl=53 time=33.351 ms
64 bytes from 66.115.180.236: seq=8 ttl=53 time=34.284 ms
64 bytes from 66.115.180.236: seq=9 ttl=53 time=33.572 ms
--- 66.115.180.236 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 33.297/33.876/34.783 ms
Left more things in the clear that I feel aren't too personal
root@OpenWrt:~# ping -c 10 10.70.43.89
PING 10.70.43.89 (10.70.43.89): 56 data bytes
64 bytes from 10.70.43.89: seq=0 ttl=64 time=0.077 ms
64 bytes from 10.70.43.89: seq=1 ttl=64 time=0.123 ms
64 bytes from 10.70.43.89: seq=2 ttl=64 time=0.122 ms
64 bytes from 10.70.43.89: seq=3 ttl=64 time=0.122 ms
64 bytes from 10.70.43.89: seq=4 ttl=64 time=0.137 ms
64 bytes from 10.70.43.89: seq=5 ttl=64 time=0.138 ms
64 bytes from 10.70.43.89: seq=6 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=7 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=8 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=9 ttl=64 time=0.121 ms
--- 10.70.43.89 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.077/0.120/0.138 ms