Need help with (policy based) routing

Thanks for taking a look.

Updated /etc/config/network:

config wireguard_VPN
        option route_allowed_ips '0'

config wireguard_wgserver
        option description 'Phone'
        option public_key 'vlmM99Hne2AI9sMuq01mH/tP9Glibs+y6mjinruPJg8='
        list allowed_ips '10.6.0.2/32'
        option route_allowed_ips '0'

No change in results whether policy is enabled or disabled from original post. That guide is what I primarily used to configure most of the settings to include editing the /etc/sysctl.conf.

uci -q delete network.@wireguard_VPN[0]
uci set network.@wireguard_Mullvad[0].route_allowed_ips="0"
uci commit network
/etc/init.d/network restart

And create a policy to route all from LAN to VPN.

After your commands my traffic is now passing through the WAN rather than Mullvad and my phone will still not connect.

I am confused about the policy you are referring to. Create a PBR policy? Or is that for firewall zones? The only interfaces I have to choose from in the PBR policy are WAN and Mullvad.

I am trying to keep all of my traffic going through Mullvad as well as hosting a server. OpenWrt as a Wireguard client (to Mullvad) and Wireguard server (for roaming devices i.e. my phone)

Just playing around with this more, if

route_allowed_ips="0"

on the Wireguard client (Mullvad) is set, I am able to connect to the wgserver. The final issue, which is really just a zero-sum, none of my traffic goes through Mullvad this way.

I have played around with https://docs.openwrt.melmac.net/vpn-policy-routing/#wireguard-tunnel

Routing Wireguard traffic may require setting net.ipv4.conf.wg0.rp_filter = 2 in /etc/sysctl.conf. Please refer to issue #41 for more details.

and followed the issue to read

net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2

The only observable change is that if I don't pass traffic to Mullvad, both Wireguard interfaces will handshake with their corresponding peer (Mullvad handshakes, still doesn't traverse the interface).

I've also found another post attempting the same thing, although it appears they have given up on this:

Yep, traffic from 192.168.1.0/24 route to Mullvad.

The wireguard client to Mullvad must not install the default route, but allowed IPs should be the whole internet (0.0.0.0/0)
Then with policy routing (either pbr or rules/routes) you will select which devices will go via Mullvad towards the internet.

1 Like

This is just so close to working!! I'm still running into the issue of nothing being passed to Mullvad.

Attached image of my PBR:

Everything looks right and seems to add up with what you guys are saying but my LAN and my phone (connected to the wgserver interface) reveal my IP rather than Mullvad's server.

Clear local and remote ports, specify protocol AUTO and chain PREROUTING.

1 Like

Still moving forward!

My phone connects fine and interacts with the LAN mostly as desired (except traffic passing to Mullvad) but now there seems to be an issue connecting to Mullvad. The interface will handshake but packets in and out are showing traffic being passed. Only 1-2 packets will be recieved, transmitted packets will continue to go up.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export vpn-policy-routing; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg show; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like
{
        "kernel": "4.14.131",
        "hostname": "OpenWrt",
        "system": "Westmere E56xx\/L56xx\/X56xx (Nehalem-C)",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.4",
                "revision": "r7808-ef686b7292",
                "target": "x86\/64",
                "description": "OpenWrt 18.06.4 r7808-ef686b7292"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:d553:0195::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'Mullvad'
        option proto 'wireguard'
        option private_key 'private key'
        list addresses '10.70.x.x/32'
        option auto '0'

config wireguard_Mullvad
        option public_key 'public key'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'WAN IP'
        option persistent_keepalive '25'
        option endpoint_port '51820'

config wireguard_wgserver
        option description 'Phone'
        option public_key 'public key'
        list allowed_ips '10.6.0.2/32'
        option route_allowed_ips '1'
        option endpoint_port '61820'

config interface 'wgserver'
        option proto 'wireguard'
        option private_key 'private key'
        list addresses '10.6.0.1/24'
        option listen_port '61820'

config route 'vpn'
        option interface 'lan'
        option target '10.6.0.0/24'
        option gateway '192.168.1.1'

config lan 'interface'

config 10.6.0.0/24 'target'

config 192.168.1.1 'gateway'

uci: Entry not found
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server 'Mullvad DNS server'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name '1600P'
        option dns '1'
        option mac 'mac address'
        option leasetime 'infinite'
        option ip '192.168.1.2'

config host
        option name 'ubuntu'
        option dns '1'
        option mac 'mac address'
        option ip '192.168.1.3'
        option leasetime 'infinite'

config domain
        option name 'OpenWrt'
        option ip '192.168.1.1'

config domain
        option name '1600P'
        option ip '192.168.1.2'

config domain
        option name 'Ubuntu'
        option ip '192.168.1.3'

config domain

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option forward 'REJECT'
        option input 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'Mullvad'
        option output 'ACCEPT'
        option network 'Mullvad'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '61820'
        option name 'wgserver'
        option enabled '1'

config forwarding
        option dest 'Mullvad'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wgserver'
        option masq '1'
        option network 'wgserver'

config forwarding
        option dest 'Mullvad'
        option src 'wgserver'

config forwarding
        option dest 'lan'
        option src 'wgserver'

config forwarding
        option dest 'wan'
        option src 'wgserver'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing

config vpn-policy-routing 'config'
        list supported_interface ''
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_protocol_column '1'
        option webui_enable_column '1'
        option enabled '1'
        option webui_sorting '1'
        option webui_chain_column '1'
        option verbosity '1'
        option src_ipset '0'
        option ipv6_enabled '0'
        option strict_enforcement '0'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name 'wgserver'
        option interface 'Mullvad'
        option src_addr '192.168.1.1/24'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 'WAN IP' brd 'WAN broadcast' scope global eth1
       valid_lft forever preferred_lft forever
21: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
28: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 brd 10.6.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
default via 'WAN IP' dev eth1 table wan
default via 'WAN IP' dev eth1 proto static src 'WAN Gateway?'
10.6.0.0/24 via 192.168.1.1 dev br-lan proto static
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
10.6.0.2 dev wgserver proto static scope link
167.88.88.192/26 dev eth1 proto kernel scope link src 167.88.88.223
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.6.0.0 dev wgserver table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev wgserver table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wgserver table local proto kernel scope link src 10.6.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 'WAN IP' dev eth1 table local proto kernel scope link src 'WAN Gateway?'
local 'WAN IP' dev eth1 table local proto kernel scope host src 'WAN Gateway?'
broadcast 'WAN broadcast' dev eth1 table local proto kernel scope link src 'WAN IP'
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32765:  from all fwmark 0x10000/0xff0000 lookup wan
32766:  from all lookup main
32767:  from all lookup default
interface: wgserver
  public key: 'public key'
  private key: (hidden)
  listening port: 61820

peer: 'public key'
  endpoint: 'phone IP':10041
  allowed ips: 10.6.0.2/32
  latest handshake: 1 minute, 18 seconds ago
  transfer: 95.61 KiB received, 141.36 KiB sent
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Jun 27  2019 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Nov 10 14:47 /tmp/resolv.conf
-rw-r--r--    1 root     root           117 Nov 10 14:41 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 'WAN DNS server'
nameserver 'WAN DNS server
nameserver 'Unfamiliar DNS server'
search hwccustomers.com
head: /tmp/resolv.*/*: No such file or directory

Also noticing inconsistent pings getting through on phone through VPN. Not sure if DNS issue or connectivity issue.

18.06.4 is a bit old, you should upgraded to 18.06.8 or 19.07.4

Don't use port for the phone peer.

Also you don't need to route the phone peer IP.

Remove the route.

I am not sure what is this exactly, but looks like garbage.

Remove masquerade from wgserver zone.

The source address is wrong:
Either use 192.168.1.0/24 for the whole lan or 192.168.1.X/32 for a specific host.

1 Like

Connecting to Mullvad issues still remain. Entire LAN does not have internet if Mullvad interface is connected.

Phone connects and is pass traffic smoothly but isn't behind Mullvad (I assume it's related to the issue above..)

Mullvad interface shows handshake and TX packet counter is going up, RX packets remain low at 1-2.


I really appreciate all of your help in this!

Run again the same commands to see how it looks. Also run this from the router. ping -c 10 Mullvad_Peer_IP
The 10.X.X.X IPs from Mullvad are private, so you don't need to redact them.

1 Like
{
        "kernel": "4.14.131",
        "hostname": "OpenWrt",
        "system": "Westmere E56xx\/L56xx\/X56xx (Nehalem-C)",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.4",
                "revision": "r7808-ef686b7292",
                "target": "x86\/64",
                "description": "OpenWrt 18.06.4 r7808-ef686b7292"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:d553:0195::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'Mullvad'
        option proto 'wireguard'
        option private_key 'private key'
        list addresses '10.70.43.89/32'
        option auto '0'

config wireguard_Mullvad
        option public_key 'public key'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '66.115.180.236'
        option persistent_keepalive '25'
        option endpoint_port '51820'

config wireguard_wgserver
        option description 'Phone'
        option public_key 'public key'
        list allowed_ips '10.6.0.2/32'

config interface 'wgserver'
        option proto 'wireguard'
        option private_key 'private key'
        list addresses '10.6.0.1/24'
        option listen_port '61820'

uci: Entry not found
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '193.138.218.74'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name '1600P'
        option dns '1'
        option mac '26:51:1B:4E:20:FB'
        option leasetime 'infinite'
        option ip '192.168.1.2'

config host
        option name 'ubuntu'
        option dns '1'
        option mac '52:54:00:37:3A:2A'
        option ip '192.168.1.3'
        option leasetime 'infinite'

config domain
        option name 'OpenWrt'
        option ip '192.168.1.1'

config domain
        option name '1600P'
        option ip '192.168.1.2'

config domain
        option name 'Ubuntu'
        option ip '192.168.1.3'

config domain

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option forward 'REJECT'
        option input 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'Mullvad'
        option output 'ACCEPT'
        option network 'Mullvad'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '61820'
        option name 'wgserver'
        option enabled '1'

config forwarding
        option dest 'Mullvad'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wgserver'
        option network 'wgserver'

config forwarding
        option dest 'Mullvad'
        option src 'wgserver'

config forwarding
        option dest 'lan'
        option src 'wgserver'

config forwarding
        option dest 'wan'
        option src 'wgserver'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing

config vpn-policy-routing 'config'
        list supported_interface ''
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_protocol_column '1'
        option webui_enable_column '1'
        option enabled '1'
        option webui_sorting '1'
        option webui_chain_column '1'
        option verbosity '1'
        option src_ipset '0'
        option ipv6_enabled '0'
        option strict_enforcement '0'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name 'wgserver'
        option interface 'Mullvad'
        option src_addr '192.168.1.0/24'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 'WAN IP'/26 brd 'WAN broadcast' scope global eth1
       valid_lft forever preferred_lft forever
30: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
32: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 brd 10.6.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
default via 167.88.88.193 dev eth1 table wan
10.6.0.0/24 dev wgserver table wan proto kernel scope link src 10.6.0.1
default via 'WAN Gateway' dev eth1 proto static src 'WAN IP'
10.6.0.0/24 dev wgserver proto kernel scope link src 10.6.0.1
66.115.180.236 via 'WAN Gateway' dev eth1 proto static
'WAN Gateway'/26 dev eth1 proto kernel scope link src 'WAN IP'
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.6.0.0 dev wgserver table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev wgserver table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wgserver table local proto kernel scope link src 10.6.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 'WAN Gateway' dev eth1 table local proto kernel scope link src 'WAN IP'
local 'WAN IP' dev eth1 table local proto kernel scope host src 'WAN IP'
broadcast 'WAN broadcast' dev eth1 table local proto kernel scope link src 'WAN IP'
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32757:  from all fwmark 0x10000/0xff0000 lookup wan
32766:  from all lookup main
32767:  from all lookup default
interface: wgserver
  public key: 'public key'
  private key: (hidden)
  listening port: 61820

peer: 'public key'
  endpoint: 'phone IP':10025
  allowed ips: 10.6.0.2/32
  latest handshake: 6 minutes, 55 seconds ago
  transfer: 183.07 KiB received, 420.27 KiB sent
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Jun 27  2019 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Nov 10 15:32 /tmp/resolv.conf
-rw-r--r--    1 root     root           117 Nov 10 15:32 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 'ISP DNS server'
nameserver 'ISP DNS server'
nameserver 'Unfamiliar DNS server'
search hwccustomers.com
head: /tmp/resolv.*/*: No such file or directory

Ping results:

root@OpenWrt:~# ping -c 10 66.115.180.236
PING 66.115.180.236 (66.115.180.236): 56 data bytes
64 bytes from 66.115.180.236: seq=0 ttl=53 time=33.828 ms
64 bytes from 66.115.180.236: seq=1 ttl=53 time=34.783 ms
64 bytes from 66.115.180.236: seq=2 ttl=53 time=33.756 ms
64 bytes from 66.115.180.236: seq=3 ttl=53 time=33.947 ms
64 bytes from 66.115.180.236: seq=4 ttl=53 time=34.177 ms
64 bytes from 66.115.180.236: seq=5 ttl=53 time=33.768 ms
64 bytes from 66.115.180.236: seq=6 ttl=53 time=33.297 ms
64 bytes from 66.115.180.236: seq=7 ttl=53 time=33.351 ms
64 bytes from 66.115.180.236: seq=8 ttl=53 time=34.284 ms
64 bytes from 66.115.180.236: seq=9 ttl=53 time=33.572 ms

--- 66.115.180.236 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 33.297/33.876/34.783 ms

Left more things in the clear that I feel aren't too personal

Ping the peer IP of Mullvad, not the endopoint IP. It must be 10.something

Sorry!

root@OpenWrt:~# ping -c 10 10.70.43.89
PING 10.70.43.89 (10.70.43.89): 56 data bytes
64 bytes from 10.70.43.89: seq=0 ttl=64 time=0.077 ms
64 bytes from 10.70.43.89: seq=1 ttl=64 time=0.123 ms
64 bytes from 10.70.43.89: seq=2 ttl=64 time=0.122 ms
64 bytes from 10.70.43.89: seq=3 ttl=64 time=0.122 ms
64 bytes from 10.70.43.89: seq=4 ttl=64 time=0.137 ms
64 bytes from 10.70.43.89: seq=5 ttl=64 time=0.138 ms
64 bytes from 10.70.43.89: seq=6 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=7 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=8 ttl=64 time=0.120 ms
64 bytes from 10.70.43.89: seq=9 ttl=64 time=0.121 ms

--- 10.70.43.89 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.077/0.120/0.138 ms

This is the tunnel IP from your side. Bring the tunnel up and ping the Mullvad peer IP.

I don't see any other 10.x.x.x IP for the Mullvad interface. Just mine, and the peer endpoint.

ifup Mullvad; sleep 10; wg show Mullvad; ip route get 1 from 192.168.1.1
1 Like