OpenWRT Wireguard VPN connects home network but I cannot stream TV from EU

My TV provider requires me to be in my home LAN to be able to use their TV app. On top they also require me to be in EU.

I use Wireguard VPN with another open router firmware to create a tunnel to my home network in the EU and this allows me to view TV. Also Wireguard VPN direct on my iPhone allows me to watch TV. So I assume everything is setup correct on server side and client side.

I want to switch to Wireguard on OpenWRT on my Raspeberry PI CM4 HW. I have setup Wireguard on OpenWRT and I can connect, see that everything works, but...I cannot stream TV. The message I get on the TV app is: "This stream can only be watched from countries inside the EU". So it looks like the Wireguard VPN interface does not publish the network as my home LAN.

Anyone have experience with this?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Also show your phone wg config.

For my understanding you have setup the Pi as server in your home so that your phone can connect to it in your home network?
If so is the Pi your main router directly connected to the internet with a Public IP?

Hi, thanks for the reply.

The setup is a bit different.

On one end (let's say site_a in EU) I have home assistant running on a NUC, running wireguard as add on. The NUC sits behind a Netgear router that connects to the internet modem provided by my ISP. On the netgear firewall I have fwd the wireguard port to the home assistant NUC, that runs with fixed IP. This works fine for the iphone and I can stream TV from anywhere outside EU.

On the other end (let's say site_b outside EU) I have dd-wrt running on a netgear router, and this sits behind a modem/router, provided by my ISP. I run wireguard on this router and it allows any device that connects to the (W)LAN of the router to stream TV. I can ping the NUC on site_a if I connect the laptop to this router. SO this looks okay.

I want to replace this by OpenWRT running on the raspberry CM4 due to stability issues I have with the netgear router.

I have wireguard running on OpenWRT and see that the handshaking works, I can connect to websites etc. via the router, but when I want to stream TV it says "This stream can only be watched from countries inside the EU" so it appears that this setup does not communicate via the wireguard tunnel. This is confirmed because I cannot ping the NUC on site_a.

So question is: have I overlooked something. I will upload the wg config from phone and OpenWRT in a minute.

Thanks.

**# ubus call system board**
{
        "kernel": "5.4.215",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi Compute Module 4 Rev 1.1",
        "board_name": "raspberrypi,4-compute-module",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r16681+16-830b07f08e",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 21.02-SNAPSHOT r16681+16-830b07f08e"
        }
}
**# cat /etc/config/network** 

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'aaa'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config device
        option type 'bridge'
        option name 'docker0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'holzmoos'
        option proto 'wireguard'
        option private_key 'xxxxx='
        option listen_port '51820'
        list addresses '10.10.10.7/32'

config wireguard_holzmoos
        option description 'boterdijk'
        option public_key 'yyyyy='
        option route_allowed_ips '1'
        option endpoint_host 'host IP address via duckdns'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.1.0/24'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'
# cat /etc/config/firewall 

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'zerotier'
        option type 'script'
        option path '/etc/zerotier.start'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'gowebdav'
        option type 'script'
        option path '/var/etc/gowebdav.include'
        option reload '1'

config include 'luci_app_ipsec_server'
        option type 'script'
        option path '/var/etc/ipsecvpn.include'
        option reload '1'

config include 'passwall'
        option type 'script'
        option path '/var/etc/passwall.include'
        option reload '1'

config include 'passwall_server'
        option type 'script'
        option path '/var/etc/passwall_server.include'
        option reload '1'

config include 'luci_app_pptp_server'
        option type 'script'
        option path '/var/etc/pptpd.include'
        option reload '1'

config include 'socat'
        option type 'script'
        option path '/var/etc/socat.include'
        option reload '1'

config include 'ssr_mudb_server'
        option type 'script'
        option path '/var/etc/ssr_mudb_server.include'
        option reload '1'

config rule 'kms'
        option name 'kms'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port 'xxxx'

config include 'openclash'
        option type 'script'
        option path '/var/etc/openclash.include'
        option reload '1'

config include 'shadowsocksr'
        option type 'script'
        option path '/var/etc/shadowsocksr.include'
        option reload '1'

config include 'mia'
        option type 'script'
        option path '/etc/mia.include'
        option reload '1'

config rule 'openvpn'
        option name 'openvpn'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port 'xxxx'

config include 'unblockmusic'
        option type 'script'
        option path '/var/etc/unblockmusic.include'
        option reload '1'

config include 'softethervpn'
        option type 'script'
        option path '/usr/share/softethervpn/firewall.include'
        option reload '1'

config include 'v2ray_server'
        option type 'script'
        option path '/var/etc/v2ray_server.include'
        option reload '1'

config include 'wrtbwmon'
        option type 'script'
        option path '/etc/wrtbwmon.include'
        option reload '1'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'holzmoos'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.7/32'
        option dest_port '51820'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

# wg show
interface: holzmoos
  public key: xxxx=
  private key: (hidden)
  listening port: 51820

peer: yyyy=
  endpoint: IP address:51820
  allowed ips: 10.10.10.0/24, 192.168.1.0/24
  latest handshake: 30 seconds ago
  transfer: 2.00 KiB received, 18.50 KiB sent
  persistent keepalive: every 25 seconds

Your Allowed IPs should be:
list allowed_ips '0.0.0.0/0'

Unless you have the WG adress and the subnet ( 192.168.2.1) set on the other side in the peer section as allowed IPs and routing the allowed IPs, you have to enable MASQUERADE (and mtu_fix) on the firewall:

P.S. you are running an old and EOL build

Thanks, done. Did not solve the issue of the streaming unfortunately.

I know about the build. I bought the raspberry with OpenWRT preinstalled from Seeed. I am not sure what image to upgrade it with, otherwise I would have done it. Could you advise what image to use? E.g. 32 or 64 bit?

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

They have a fork that is not the same as the official OpenWrt firmware. You need to either ask them for help or install OpenWrt from the official project.

Hi, I have solved ths issue. I had my netgear router connecting to the same wireguard server and apparently that caused the issue. I have now succesfully upgraded the Seeed reRouter to the default OpenWRT latest stable release for Raspberry Pi4 CM. Should anyone else like to try this: there are great tutorials for installing OpenWRT on Raspberry Pi on YouTube. These also apply to the Seeed reRouter device. One advise: create a vpn firewall rule prior to making the Wireguard configuration on OpenWRT. Otherwise the router crashes and locks you out. Thanks for the help.