If it matters, I run lan to wan from Nighthawk to Openwrt.
I want my OpenWrt router to route ALL traffic I connect to the OPENWRT router through the wireguard. I am using mullvad as the wireguard service, if that matters.
I am getting NO handshake to wireguard, and no internet when it's attempting.
I looked at a million other threads, I've been trying for about a week to figure it out on my own and now it's time to phone a friend.
Here's my firewall and network configs:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:7143:884f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option gateway '192.168.3.1'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 4 0'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'REDACTED PRIVATE KEY'
option listen_port '51820'
list addresses '10.68.128.116/32'
list addresses 'fc00:bbbb:bbbb:bb01::5:8073/128'
option force_link '1'
config wireguard_WGINTERFACE
option description 'Mullvad Server #redacted'
option public_key 'REDACTED PUBLIC KEY FOR MULLVAD SERVER'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option endpoint_host '193.27.13.114'
option endpoint_port '51820'
option persistent_keepalive '25'
config route
option interface 'WGINTERFACE'
option target '0.0.0.0'
option netmask '0.0.0.0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config forwarding
option src 'lan'
option dest 'WGZONE'
config rule
option name 'WG'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
I have an openwrt wiregard client routers (19.07.07 & 21.02.0) behind an ISP facing LEDE 17 router, and it works fine provided the VPN provider does not expire the keys I am using! I'm not with Mulvad.
The make and model of my OpenWRT router is a GL-iNet B1300, the Convexa B. I had trouble with the modded OpenWRT they had on the router so flashed vanilla openwrt, only to have the same issues.
I had heard time was important so read I should be syncing time to on every fresh boot, but that doesn't help anything connect.
Is it possible to configure the openwrt router to connect direct to your ISP router (bridge mode)?
ie. temporarily bypass the Netgear router?
I presume there is no issues connecting to Mulvad using any other device (eg. phone, laptop) running wireguard client connected to your Netgear router.
Yes, wireguard successfully connects if I use the PC directly.
I couldn't figure out how to get my device to get any internet at all, even without wireguard while connected to the bridge. I did discover the bridge had a mullvad frowned upon IP of 192.168.0.1, which I changed to a non conflicting address.
I did more digging and here is some new information that may help:
My Nighthawk gives my Openwrt an IP, which I have locked to a static 192.168.3.2, AND also put that into the DMZ zone of my nighthawk. None of this seems to help my OpenWRT handshake with wireguard.
As far as the Windows PC, I can connect to the same server using the Mullvad App, AND I can even connect using the same exact Config that's not handshaking on the router - using the wireguard app on my PC.
I don't think it makes any difference, but can you remove the above zone forwarding entry for LAN to WAN, so it matches what is displayed on mullvad wiki.
There may also be an error on the mullvad wiki page with regards to the 'wan' interface settings - see above. The error shouldn't affect the wireguard interface though.
I tested the mullvad config info you PMed to me and can confirm it works on my IPQ4018 based Linksys EA6350v3 running 21.02.0-rc3, with its WAN port wired to LAN port of my ISP facing HH5A modem-router running LEDE 17.01.6. I've PMed the results to you.
How is the OpenWrt router connected to the upstream router? Are you using the WAN port on the OpenWrt router to connect to a LAN port on the Nighthawk?
I got the OpenWRT box connected directly to my ISP's box just to rule out the Netgear Nighthawk causing problems. I then fully reset OpenWRT and started from scratch. Internet functioned before turning on Wireguard, internet stops functioning and no handshake while attempting wireguard. Verified credentials and tried with two new configs just to be certain. No handshake
Can you pst your latest config files (network and firewall)? Looking at your earlier ones, the network file looks good, but I see that the WGINTERFACE network is actually connected to 2 zones. It should be in only one zone... either WAN or a dedicated zone for WG, masquerading should be enabled.
EDIT: just noticed that you have a static route defined. This should be removed.... best thing though is too see the latest version of the files before recommending any changes.
Here are the latest config files, as I did a completely clean wipe of the box and started fresh with an instructional from bill888.
I have internet functioning fine until I attempt to connect the wireguard interface, and then I lose internet, and no handshake occurs. If it helps, I also get 100% packet loss when wireguard is set up.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdad:7e63:2e4b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
list dns '193.138.218.74'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option hostname '*'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 4 0'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
option private_key 'redacted'
list addresses '10.68.164.94/32'
option listen_port '51280'
config wireguard_WGINTERFACE
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key 'redacted'
option endpoint_host '193.27.13.130'
option description '145'
option endpoint_port '51280'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config forwarding
option src 'lan'
option dest 'wan'
