OpenWrt Wireguard Client

Hi All,

I'm having problems with Wireguard Client and wanted to ask for help. I have spent about 3 days working on this, so her I go:

Followed the instruction s from the Openwrt site, OpenWrt Wiki - WireGuard client. From there, I changed the VPN interface information based on the Wireguard client configuration for my Wireguard server. I need to let you that my Wireguard server is a Raspberry PI4 sitting in the USA. I'm able to get a connection established with my Raspberry PI Wireguard server. The problem is when I check my IP address with what's my IP, it is the address of my ISP in my country and not the IP address of my US based VPN server. I have changed the "Use gateway metric" on both the WAN and the VPN to WAN 20 and the VPN 10. I also configured Port Forward on the ISP Moden/Router to point to the OpenWrt router with the configured port number.

Here is what my network looks like:

Any help would be grateful.

Thanks.

You probably want to post /etc/config/network but make sure you sanitize the keys for your wireguard to protect them. Just replace them with xxx or something like that.

I recommend splitting this into two steps:

(1) Check that your wireguard link is active. Try pinging the other devices on the wireguard interface/network

If this fails then you need to fix your wireguard or addresses configs. If this works then step (2) is your problem.

(2) Check your routing rules. If you want normal internet traffic to go out over the wireguard link then you need to make sure routing rules to this affect are in place. There are lots of ways to view routing rules (both in the commandline and in luci) as well as creating rules (within the configs, luci, post-up scripts, wireguard config, etc); pick your poison and have a look.

1 Like

Wireguard should configure the client's routes for you if you set allowed_ips to 0.0.0.0/0 and enable route_allowed_ips. This will add 3 rules to the route table-- a punch out to the peer via the old ISP, and the split /1 routes that send the whole Internet into the wireguard tunnel without removing the original default route. The original default route is inactivated though since the more specific routes have priority.

Here are the contents of the files:

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:cbae:5e3b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'd8:47:32:d8:3c:69'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'
	option metric '20'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key XXXXXXXXX
	list addresses '10.6.0.3/24'
	option dns_metric '10'

config wireguard_wg0 'wgclient'
	option description 'OpenWrt'
	option public_key XXXXXXXXX
	option preshared_key 'XXXXXXXXX
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host XXXXXXXXX
	option endpoint_port '51820'
	option persistent_keepalive '25'

**/etc/config/firewall**

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'
	option masq '1'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'
...
I hope this will help.  Thanks.

Just noticed that id I have the VPN running, I have no internet connectivity. Just don't understand why this is so hard to do. I thought Wireguard was easy to setup.

It's fiddly but once set up it's done and you can leave it be for ages.

I think I had to add the IPv6 address in allowed IPs here:

Also you may want to consider the simple nftables-based pbr that is configurable through LuCi:

This allows you to configure which addresses go where (either directly out through WAN) or through VPN. And all through the LuCi GUI. Fantastic.

The VPN usually is placed in the wan firewall zone, or a separate zone with masquerade enabled. If you don't NAT into the VPN tunnel (which will be the case placing it in lan), the server needs to have a route back to your LAN. I don't think that lan-lan masq works, it has to be inter-zone.

listen_port is usually not combined with endpoint_host. Use listen_port when this peer is waiting for connections (it is a "server"). Use endpoint_host on the peer that will initiate the connection (a "client").

If the connection shows up (handshakes active) and the routes are installed, (run route to view the table), but the Internet is not reachable by VPN, then you also need to consider the server configuration.

Hi All,

Lynx, your suggestion about adding IPv6 worked. Now the only issue is the speed is so slow, any ideas?

Sweet - glad it helped!

Yes - your router doesn't pack all that much more punch than a tired old fly hitting into a window with the help of a gentle breeze. There may be some optimizations that might help (irqbalance?) or others, but if you want a significantly higher throughput with shaping using CAKE too then you probably need to purchase something that packs a lot more punch like a cricket ball smashing through a window and onto the floor or a tank through the wall: e.g. RT3200 for say 400Mbit/s or even x86 for 1Gbit/s if that is needed.