I'm having problems with Wireguard Client and wanted to ask for help. I have spent about 3 days working on this, so her I go:
Followed the instruction s from the Openwrt site, OpenWrt Wiki - WireGuard client. From there, I changed the VPN interface information based on the Wireguard client configuration for my Wireguard server. I need to let you that my Wireguard server is a Raspberry PI4 sitting in the USA. I'm able to get a connection established with my Raspberry PI Wireguard server. The problem is when I check my IP address with what's my IP, it is the address of my ISP in my country and not the IP address of my US based VPN server. I have changed the "Use gateway metric" on both the WAN and the VPN to WAN 20 and the VPN 10. I also configured Port Forward on the ISP Moden/Router to point to the OpenWrt router with the configured port number.
You probably want to post /etc/config/network but make sure you sanitize the keys for your wireguard to protect them. Just replace them with xxx or something like that.
(1) Check that your wireguard link is active. Try pinging the other devices on the wireguard interface/network
If this fails then you need to fix your wireguard or addresses configs. If this works then step (2) is your problem.
(2) Check your routing rules. If you want normal internet traffic to go out over the wireguard link then you need to make sure routing rules to this affect are in place. There are lots of ways to view routing rules (both in the commandline and in luci) as well as creating rules (within the configs, luci, post-up scripts, wireguard config, etc); pick your poison and have a look.
Wireguard should configure the client's routes for you if you set allowed_ips to 0.0.0.0/0 and enable route_allowed_ips. This will add 3 rules to the route table-- a punch out to the peer via the old ISP, and the split /1 routes that send the whole Internet into the wireguard tunnel without removing the original default route. The original default route is inactivated though since the more specific routes have priority.
Just noticed that id I have the VPN running, I have no internet connectivity. Just don't understand why this is so hard to do. I thought Wireguard was easy to setup.
The VPN usually is placed in the wan firewall zone, or a separate zone with masquerade enabled. If you don't NAT into the VPN tunnel (which will be the case placing it in lan), the server needs to have a route back to your LAN. I don't think that lan-lan masq works, it has to be inter-zone.
listen_port is usually not combined with endpoint_host. Use listen_port when this peer is waiting for connections (it is a "server"). Use endpoint_host on the peer that will initiate the connection (a "client").
If the connection shows up (handshakes active) and the routes are installed, (run route to view the table), but the Internet is not reachable by VPN, then you also need to consider the server configuration.
Yes - your router doesn't pack all that much more punch than a tired old fly hitting into a window with the help of a gentle breeze. There may be some optimizations that might help (irqbalance?) or others, but if you want a significantly higher throughput with shaping using CAKE too then you probably need to purchase something that packs a lot more punch like a cricket ball smashing through a window and onto the floor or a tank through the wall: e.g. RT3200 for say 400Mbit/s or even x86 for 1Gbit/s if that is needed.