NordLynx wireguard openwrt with dedicated AP

prose · December 9, 2024, 6:48pm

Dears,
in parallel on what previously done with OpenVPN I've been trying to set up NordVPN openguard on openwrt, but I cannot manage to make it work:

config policy
        option name 'ipinfo wg test'
        option src_addr '192.168.7.0/24'
        option interface 'nordvpntun'
        option enabled '0'

config policy
        option name 'wireguard test'
        option src_addr '192.168.7.0/24'
        option interface 'wgvpn'

config interface 'Slan'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option device 'phy0-ap1'
        option type 'bridge'

config device
        option name 'phy1-ap1'

config interface 'wgvpn'
        option proto 'wireguard'
        option private_key '**************************************'
        list dns '103.86.96.100'
        list addresses '192.168.7.0/24'

config wireguard_wgvpn
        option description 'Imported peer configuration'
        option public_key '0sAxvVg+N0it7/I4PzWdJdtKY66diiuTsXEfYGThKjg='
        option persistent_keepalive '25'
        option endpoint_host 'al50.nordvpn.com'
        option endpoint_port '51820'
        list allowed_ips '192.168.7.0/24'

How can I fix It?
Thanks

egc · December 13, 2024, 10:43am

I would first do some housekeeping

Delete the following:

Add:

config device
	option type 'bridge'
	option name 'br-Slan'
	option bridge_empty '1'

Change the Slan interface stanza to:

config interface 'Slan'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option device 'br-Slan'

On the wireless config add to your radio which you want to use SLan:

option network 'Slan'

Next on to your WireGuard:
Remove all this:

prose:

config interface 'wgvpn'
        option proto 'wireguard'
        option private_key '**************************************'
        list dns '103.86.96.100'
        list addresses '192.168.7.0/24'

config wireguard_wgvpn
        option description 'Imported peer configuration'
        option public_key '0sAxvVg+N0it7/I4PzWdJdtKY66diiuTsXEfYGThKjg='
        option persistent_keepalive '25'
        option endpoint_host 'al50.nordvpn.com'
        option endpoint_port '51820'
        list allowed_ips '192.168.7.0/24'

Disable PBR after that Reboot and test your config.

Then simply import the config file from Nord, by default Route Allowed IPs is not enabled but you can check with wg show if there is a connection and traffic both ways.

If that is the case you can enable PBR again and make a policy.

If that does not help then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

prose · December 15, 2024, 3:01pm

Dear,
WireGuard VPN when set to 0.0.0.0/24 in allowed IPs and correct firewall configuration is working. The problem is when I try to set specific IP or specific subnets.
ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:4",
        "model": "TP-Link Archer AX23 v1",
        "board_name": "tplink,archer-ax23-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:7224:10a1::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

config interface 'nordvpntun'
        option proto 'none'
        option device 'tun0'

config device
        option name 'wan'

config interface 'Slan'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option device 'phy0-ap1'
        option type 'bridge'

config interface 'wgvpn'
        option proto 'wireguard'
        option private_key '...'
        list addresses '10.5.0.2/16'
        list dns '103.86.96.100'

config wireguard_wgvpn
        option description 'Imported peer configuration'
        option public_key '0sAxvVg+N0it7/I4PzWdJdtKY66diiuTsXEfYGThKjg='
        option persistent_keepalive '25'
        option endpoint_host 'al42.nordvpn.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '192.168.10.0/24'
        list allowed_ips '0.0.0.0/24'

config interface 'slan2'
        option proto 'static'
        option device 'phy0-ap2'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel 'auto'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key ''

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'IT'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key ''



config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrtVPN2.4'
        option encryption 'psk2'
        option key ''
        option network 'Slan'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt -wg'
        option encryption 'psk2'
        option key ''
        option network 'slan2'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '192.168.1.243'
        option mac '...'

config host
        option name 'DESKTOP-6S2AODT'
        option ip '192.168.1.159'
        option mac '....'

config dhcp 'Slan'
        option interface 'Slan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'slan2'
        option interface 'slan2'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'fw1'
        option src 'wan'
        option src_dport '3478-3480'
        option dest_ip '192.168.1.243'

config redirect
        option dest 'lan'
        option target 'DNAT'
        list proto 'udp'
        option src 'wan'
        option src_dport '3074'
        option dest_ip '192.168.1.243'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'slan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Slan'

config forwarding
        option src 'slan'
        option dest 'wan'

config forwarding
        option src 'slan'
        option dest 'lan'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'vpn'
        option dest 'slan'

config forwarding
        option src 'slan'
        option dest 'vpn'

config zone
        option name 'openlynx'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wgvpn'

config forwarding
        option src 'lan'
        option dest 'openlynx'

config zone
        option name 'slan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'slan2'

config forwarding
        option src 'lan'
        option dest 'slan2'

config forwarding
        option src 'slan2'
        option dest 'lan'

config forwarding
        option src 'slan2'
        option dest 'openlynx'

config forwarding
        option src 'openlynx'
        option dest 'slan2'

ip route show

0.0.0.0/24 dev wgvpn proto static scope link
default via 192.168.178.1 dev wan proto static src 192.168.178.20
10.5.0.0/16 dev wgvpn proto kernel scope link src 10.5.0.2
87.120.102.99 via 192.168.178.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 proto kernel scope link src 192.168.7.1
192.168.10.0/24 dev wgvpn proto static scope link
192.168.178.0/24 dev wan proto kernel scope link src 192.168.178.20

ip route show table all

0.0.0.0/24 dev wgvpn proto static scope link
default via 192.168.178.1 dev wan proto static src 192.168.178.20
10.5.0.0/16 dev wgvpn proto kernel scope link src 10.5.0.2
87.120.102.99 via 192.168.178.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 proto kernel scope link src 192.168.7.1
192.168.10.0/24 dev wgvpn proto static scope link
192.168.178.0/24 dev wan proto kernel scope link src 192.168.178.20
root@OpenWrt:~# ip route show table all
default via 192.168.178.1 dev wan table pbr_wan
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 table pbr_wan proto kernel scope link src 192.168.7.1
unreachable default table pbr_nordvpntun
192.168.1.0/24 dev br-lan table pbr_nordvpntun proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 table pbr_nordvpntun proto kernel scope link src 192.168.7.1
default via 10.5.0.2 dev wgvpn table pbr_wgvpn
192.168.1.0/24 dev br-lan table pbr_wgvpn proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 table pbr_wgvpn proto kernel scope link src 192.168.7.1
0.0.0.0/24 dev wgvpn proto static scope link
default via 192.168.178.1 dev wan proto static src 192.168.178.20
10.5.0.0/16 dev wgvpn proto kernel scope link src 10.5.0.2
87.120.102.99 via 192.168.178.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.7.0/24 dev phy0-ap1 proto kernel scope link src 192.168.7.1
192.168.10.0/24 dev wgvpn proto static scope link
192.168.178.0/24 dev wan proto kernel scope link src 192.168.178.20
local 10.5.0.2 dev wgvpn table local proto kernel scope host src 10.5.0.2
broadcast 10.5.255.255 dev wgvpn table local proto kernel scope link src 10.5.0.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.7.1 dev phy0-ap1 table local proto kernel scope host src 192.168.7.1
broadcast 192.168.7.255 dev phy0-ap1 table local proto kernel scope link src 192.168.7.1
local 192.168.10.1 dev phy0-ap2 table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev phy0-ap2 table local proto kernel scope link src 192.168.10.1
local 192.168.178.20 dev wan table local proto kernel scope host src 192.168.178.20
broadcast 192.168.178.255 dev wan table local proto kernel scope link src 192.168.178.20
fd19:7224:10a1::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd19:7224:10a1::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap1 proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap2 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev ifb4br-lan proto kernel metric 256 pref medium
fe80::/64 dev ifb4phy0-ap1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd19:7224:10a1:: dev br-lan table local proto kernel metric 0 pref medium
local fd19:7224:10a1::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap1 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4phy0-ap1 table local proto kernel metric 0 pref medium
local fe80::4:48ff:fef3:36d3 dev ifb4phy0-ap1 table local proto kernel metric 0 pref medium
local fe80::3852:a1ff:feb3:ac5e dev phy0-ap2 table local proto kernel metric 0 pref medium
local fe80::3c52:a1ff:feb3:ac5e dev phy0-ap1 table local proto kernel metric 0 pref medium
local fe80::3e52:a1ff:feb3:ac5d dev phy1-ap0 table local proto kernel metric 0 pref medium
local fe80::3e52:a1ff:feb3:ac5e dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::3e52:a1ff:feb3:ac5e dev br-lan table local proto kernel metric 0 pref medium
local fe80::3e52:a1ff:feb3:ac5e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3e52:a1ff:feb3:ac5f dev wan table local proto kernel metric 0 pref medium
local fe80::b8b6:53ff:fee3:edbf dev ifb4br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wgvpn table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4phy0-ap1 table local proto kernel metric 256 pref medium

ip rule show

0:      from all lookup local
29996:  from all fwmark 0x30000/0xff0000 lookup pbr_wgvpn
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_nordvpntun
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

wg show

interface: wgvpn
  public key: WpEiMK8K/cMffpSokfwRRmiSVWi9EA+mdXMiCgaExh8=
  private key: (hidden)
  listening port: 37446

peer: 0sAxvVg+N0it7/I4PzWdJdtKY66diiuTsXEfYGThKjg=
  endpoint: 87.120.102.99:51820
  allowed ips: 192.168.10.0/24, 0.0.0.0/24
  latest handshake: 1 minute, 45 seconds ago
  transfer: 3.00 KiB received, 480.06 KiB sent
  persistent keepalive: every 25 seconds

egc · December 15, 2024, 4:51pm

You should use 0.0.0.0/0 as allowed_ips

And remove this
list allowed_ips '192.168.10.0/24'

prose · December 18, 2024, 11:14pm

Dear,
when I do this, 192.168.1.0/24 works perfectly with wireguard tunnel but that's not the objective. I want to split tunnel only 192.168.10.0/24 subnet on Wireguard. When I setup like that I have "Absent Connection" on 192.168.10.0/24 subnet

egc · December 19, 2024, 10:06am

You should use only 0.0.0.0/0 as allowed ips.

Disable route_allowed_ips so that there is no default route and then use pbr to set the source ips or whole subnet you want to use the wireguard tunnel, see the readme of the pbr.
When you are done setting up reboot to everything going

prose · December 19, 2024, 10:22am

Dear, thank you I will try asap.
PBR policy should be something like 192.168.10.0/24-> wireguard interface (pre-routing)?

egc · December 19, 2024, 11:06am

First try with your main lan e.g. pbr rule 192.168.1.0/24 via wgvpn

I have doubts about your other interfaces as they contain option device 'phy0-ap2' that does not look good

prose · December 19, 2024, 6:29pm

works like a charm. I think the problem was deriving from route_allowed_ips. Thank you so much!

system · December 29, 2024, 6:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.