I have OpenWrt 24.10.4 running on a Raspberry Pi 1. Which is setup as an always on VPN router (wg0 interface connected to a remote wireguard server)
The remote wireguard vpn server is accessible only via IPv6
I also have tailscale installed on this router which I don't want to go via VPN. By that way, I can access this router from remote.
Topology Is,
Main gateway router -> Raspberry Pi 1 eth1 (usb to ethernet adapter) and it get internet.
Raspberry Pi 1 eth0 -> connected a dump AP.
All clients connects to dump AP and they go via VPN.
Issue is,
Some times, these clients get connected to local internet without going via VPN. (Confirmed that by checking ip address at https://whatismyipaddress.com/)
But when this issue happens, on the openwrt vpn router if I run `curl -s https://ipinfo.io' it clearly shows that it went via VPN,
root@OpenWrtVPN:~# curl -s https://ipinfo.io
{
"ip": "xx.xxxx.xxx.xx",
"hostname": "xx.206.xxx.44.xxxxxxx",
"city": "xxxx",
"region": "xxxx",
"country": "IN",
"loc": "xx.xxxx,xx.xxxxx",
"org": "xxxxxxx",
"postal": "xxxxx",
"timezone": "Asia/Kolkata",
"readme": "https://ipinfo.io/missingauth"
I will post my configs, if some one could help me understand what might be happening.
root@OpenWrtVPN:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd06:1444:9b29::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option metric '100'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx+xx/xx/xx='
option metric '10'
list dns '::1'
option failover '1'
list addresses '10.104.203.13/24'
list addresses 'fd11:5ee:bad:c0de::a68:cb0d/64'
config wireguard_wg0
option public_key 'xx/xx/xx+yY='
option preshared_key 'xxx+1c='
option endpoint_host 'vpn.xxx.freeddns.org'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
config interface 'wan6'
option proto 'dhcpv6'
option reqprefix 'auto'
option device '@wan'
root@OpenWrtVPN:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tailscale0'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option name 'Allow main LAN to router'
list proto 'tcp'
option target 'ACCEPT'
config redirect
option name 'AccessRouterFromWAN'
option src 'wan'
option proto 'tcp'
option src_dport '8080'
option dest 'lan'
option dest_ip '192.168.10.1'
option dest_port '80'
config redirect
option name 'SSH_to_Router_from_WAN'
option src 'wan'
option proto 'tcp'
option src_dport '2222'
option dest 'lan'
option dest_ip '192.168.10.1'
option dest_port '22'
root@OpenWrtVPN:~# ip route show
default dev wg0 proto static scope link metric 10
default via 192.168.100.1 dev eth1 proto static src 192.168.100.69 metric 100
10.104.203.0/24 dev wg0 proto static scope link metric 10
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.100.0/24 dev eth1 proto static scope link metric 100