I've installed the requisite software and configured a Wireguard interface with my ProtonVPN provider. I see zero bytes moving over the interface. Do I need to disable other interfaces on my router to "force" this to be used or set as the default interface?
Seeing zero bytes may mean you're not getting a handshake.
Let's see your config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'redacted::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr 'redacted'
config device
option name 'lan2'
option macaddr 'redacted'
config device
option name 'lan3'
option macaddr 'redacted'
config device
option name 'lan4'
option macaddr 'redacted'
config device
option name 'lan5'
option macaddr 'redacted'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr 'redacted'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '185.228.168.10'
list dns '185.228.169.11'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'wgga316'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.2.0.2/32'
list dns 'redacted'
list dns 'redacted'
config wireguard_wgga316
option description 'wgaz149.conf'
option public_key 'redacted'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'redacted'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wgga316'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
root@OpenWrt:~# wg show
interface: wgga316
public key: redacted
private key: (hidden)
listening port: 48223
peer: redacted
endpoint: redacted:51820
allowed ips: 0.0.0.0/0
The wireguard network should not be in the lan firewall zone.
Remove it from the above and add it to either the wan firewall zone or create a new one for the WG interface (along with lan > wireguard forwarding).
It is generally recommended to use REJECT for input and forward. This isn't related to your issue, though.
This shows that you do not have a working handshake. Most frequently this is related to:
- A key issue. Your private key and/or the public key of the peer may be incorrect.
- Time. If your router doesn't have the correct time, the tunnel cannot start because of the fact that time is used in the encryption and an incorrect clock causes this whole process to fail.
- Concurrent use on another device. If you have this WG configuration in use on another device (computer/phone/etc), you need to shut down that connection before you initiate the one from the router. Only one connection is allowed per peer config (defined by the keys and the IP address in the configuration).
What am I looking for in the wg show output to indicate a good handshake?
something like this:
peer: REDACTED
preshared key: (hidden)
endpoint: REDACTED
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 27 seconds ago
transfer: 4.25 GiB received, 4.25 GiB sent
persistent keepalive: every 25 seconds
I failed to apply two settings to the new interface. pasting here in case it helps someone else--
In the Peers tab, click Edit next to the imported peer configuration, check the Route Allowed IPs option, and set Persistent Keep Alive to 25.
And I adjusted local time of my router, it was set to UTC. All followed by a reboot.
interface: wgga316
public key: redacted
private key: (hidden)
listening port: 44683
peer: redacted
endpoint: redacted
allowed ips: 0.0.0.0/0
latest handshake: 3 minutes, 25 seconds ago
transfer: 121.48 MiB received, 6.28 MiB sent
persistent keepalive: every 25 seconds
You're now getting a successful handshake.
Change input and forward on the wan firewall zone to REJECT.
Then post the updated firewall config:
cat /etc/config/firewall
You mentioned in previous reply I needed to have a lan to wireguard forwarding and it shows all interfaces kinda lumped together, is that correct? Or should I create a new wireguard zone?
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wgga316'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
root@OpenWrt:~#
That should work. Is the wg interface working as you expect?
I reckon, everything seems to be showing me that it's working, but I expected my ip/location to be different when going to ip.me. Maybe I need to reboot my laptop.
There is one thing missing:
add the following:
option route_allowed_ips '1'
Then reboot the router and test again.
I don't have a wireguard zone, so would I put that option in my "config wan" zone section?
That option belongs in the peer config stanza of your wireguard interface (in the network file)
Gotcha, in /etc/config/network. The option was already in network config file which was set through the UI in the Peers tab, click Edit next to the imported peer configuration, check the Route Allowed IPs option, and set Persistent Keep Alive to 25.
option route_allowed_ips '1'
ok... it wasn't there previously.
But since it's there, you should have a route through the wg interface.
Restart your router and test again.
When I go https://dnsleaktest.com/ I get an IP from Arizona which would match the ProtonVPN server wireguard config I used, so that's good. The ProtonVPN provided https://ip.me/ test site shows something much closer to home with an ipv6 "Your public IP address..."
You are only sending IPv4 through the tunnel.
If you want to send IPv6 through the tunnel, too, then add this to the peer stanza:
list allowed_ips '::/0'