I have at home old week Keenetic as 1st router (MAC authentication, WiFi off). And Openwrt Aruba 303rw access point connected to Keenetic.
Aruba has one "br-lan" interface with set-up Protocol: DHCP client. Wireless network setup mode as Access Point.
I want to install Wireguard vpn on access point to cover all WiFi devices.
I have instructions how to set-up wireguard vpn but in doubt how to set-up Openwrt Interface and Wireless network properly?
You’ll need to route the traffic from the WiFi through the tunnel. This means setting up new network interface in a different subnet relative to your upstream lan.
Let’s see where things currently stand:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus lan | grep address
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
Note that only clients connected to the Guest wifi on the dumb AP will use the VPN all other traffic will just bypass this AP and go straight to the main router
There is one strange thing. I have used dns leak test. On mobile phone it's succsesfull but on laptop it unsuccesfull (showing some dns leakage).
Surfshark has 2 dns addresses. I have set-up them in WG0, guest, lan interfaces and upstream router as well. But still showing that leakage and only on Laptop.
It could be that your phone is using its private DNS and the laptop is using the router as DNS server.
You probably have set the upstream router as DNS server for your AP.
In that case the AP's DNS requests from DNSMasq do not use the VPN and you have a DNS leak.
I think there are more ways out but what you can try is to set a publicly available DNS server on your AP instead of the upstream router.
Otherwise please show the settings of the AP, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option mtu_fix '1'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Guest_DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest_DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Block_Guest_from_lan'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'WG0'
option masq '1'
config forwarding
option src 'guest'
option dest 'vpn'
ip route show
default dev WG0 scope link
10.14.0.0/16 dev WG0 scope link src 10.14.0.2
*.*.*.* via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link src 192.168.1.2
192.168.2.0/24 dev br-guest scope link src 192.168.2.1
wg show
interface: WG0
public key: *****
private key: (hidden)
listening port: 58467
peer: ****
endpoint: ***.***.***.***:51820
allowed ips: 0.0.0.0/0
latest handshake: 12 seconds ago
transfer: 2.79 GiB received, 146.33 MiB sent
All traffic should go via the VPN including traffic from DNSMasq to
No need to set these DNS servers on all interfaces all listed DNS servers are just thrown into one resolv.conf file
Browsers and Oses often use private DNS so you might see another DNS server then the ones you have chosen but the query should go via the VPN so the geographical origin should be fine.
(Unless you are using a VPN on the client itself of course)
Some strange beheviour happens - it working normaly for 3-4 days and after that it stops transfering data. "Latest Handshake - never" , RX: 0 B (0 Pkts.) on wg0 interface.
Other interfaces and networks working good and that AP.
I have checked wireguard config on laptop app and smartphone - all fine.
It's allready happens several times. I have made cleanup with soft reset and settup all again. 3-4 days and problem repeated.