Openwrt AP Setup for wireguard vpn

Hi!

I have at home old week Keenetic as 1st router (MAC authentication, WiFi off). And Openwrt Aruba 303rw access point connected to Keenetic.
Aruba has one "br-lan" interface with set-up Protocol: DHCP client. Wireless network setup mode as Access Point.
I want to install Wireguard vpn on access point to cover all WiFi devices.
I have instructions how to set-up wireguard vpn but in doubt how to set-up Openwrt Interface and Wireless network properly?

You’ll need to route the traffic from the WiFi through the tunnel. This means setting up new network interface in a different subnet relative to your upstream lan.

Let’s see where things currently stand:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus lan | grep address
2 Likes
ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Aruba AP-303",
        "board_name": "aruba,ap-303",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0f:2851:39f4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '3'
        option band '2g'
        option htmode 'HT40'
        option txpower '30'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Mainone'
        option encryption 'psk2'
        option key '******'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT
ifstatus lan | grep address
               "addresses",
        "ipv4-address": [
                        "address": "192.168.1.1",
        "ipv6-address": [
                "ipv4-address": [
                "ipv6-address": [


(I have set-up upstream router to assign static address 192.168.1.1 to Openwrt access point)

Obviously nothing will work if wan addrwss overlaps with default LAN.

1 Like

Upstream router (keenetic) has other static address 192.168.1.50 .
It assignded to downsteam Openwrt AP - 192.168.1.1.

You have 192.168.1/24 in both sides of router, so it cannot route at all.

You start with making a a Guest wifi on a Dumb AP.

Next setup a WG client the normal way.

Note that only clients connected to the Guest wifi on the dumb AP will use the VPN all other traffic will just bypass this AP and go straight to the main router

1 Like

Thank you! That was very usfull for me)
It's working good for now (with small remark).

  1. I have made "soft reset" to clean AP and followed dumb AP with LuCI. Deleted "wan" configs.
  2. Set-up Guest wifi on a Dumb AP
  3. Set-up Wireguard as per surfshark guide. I was little confused with firewall settings and made like this:

There is one strange thing. I have used dns leak test. On mobile phone it's succsesfull but on laptop it unsuccesfull (showing some dns leakage).
Surfshark has 2 dns addresses. I have set-up them in WG0, guest, lan interfaces and upstream router as well. But still showing that leakage and only on Laptop.

This?

1 Like

It could be that your phone is using its private DNS and the laptop is using the router as DNS server.

You probably have set the upstream router as DNS server for your AP.
In that case the AP's DNS requests from DNSMasq do not use the VPN and you have a DNS leak.

I think there are more ways out but what you can try is to set a publicly available DNS server on your AP instead of the upstream router.

Otherwise please show the settings of the AP, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
1 Like

Look like. I have re-checked on laptop with Crhome, IE, Firefox - only Firefox leaking now.

Surfshark dns almost everywhere:)

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '*****::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config interface 'WG0'
        option proto 'wireguard'
        option private_key '***'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config wireguard_WG0
        option description 'jptok'
        option public_key '*****'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '****'
        option endpoint_port '51820'
        option route_allowed_ips '1'
cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'`
cat /etc/config/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option mtu_fix '1'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Guest_DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Block_Guest_from_lan'
        list proto 'all'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG0'
        option masq '1'

config forwarding
        option src 'guest'
        option dest 'vpn'
ip route show
default dev WG0 scope link
10.14.0.0/16 dev WG0 scope link  src 10.14.0.2
*.*.*.* via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.2
192.168.2.0/24 dev br-guest scope link  src 192.168.2.1
wg show

interface: WG0
  public key: *****
  private key: (hidden)
  listening port: 58467

peer: ****
  endpoint: ***.***.***.***:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 12 seconds ago
  transfer: 2.79 GiB received, 146.33 MiB sent

That actually looks good.

All traffic should go via the VPN including traffic from DNSMasq to

No need to set these DNS servers on all interfaces all listed DNS servers are just thrown into one resolv.conf file

Browsers and Oses often use private DNS so you might see another DNS server then the ones you have chosen but the query should go via the VPN so the geographical origin should be fine.
(Unless you are using a VPN on the client itself of course)

1 Like

Some strange beheviour happens - it working normaly for 3-4 days and after that it stops transfering data. "Latest Handshake - never" , RX: 0 B (0 Pkts.) on wg0 interface.
Other interfaces and networks working good and that AP.
I have checked wireguard config on laptop app and smartphone - all fine.
It's allready happens several times. I have made cleanup with soft reset and settup all again. 3-4 days and problem repeated.

Sometimes the VPN providers servers goes down for maintenance or is overcrowded and stops responding

I am using a Mullvad a very good provider but even with them I have it occasionally, sometimes reconnecting (=restarting ) WG helps but not always.

You can use watchcat to restart the WG interface.
I use a watchdog with fail over, if one tunnel goes down the next is activated.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/wireguard-watchdog but that might be overkill

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.