OpenWRT with Wireguard client and server behind FritzBox

Installing and Using OpenWrt
1

Hello everyone,

I'm currently working on OpenWRT and generally improving my understanding of iptables etc. I have set myself the following task:

The OpenWRT router is behind a FritzBox 5530. In the medium term, this will only manage a few devices. OpenWRT is connected to the FritzBox via the WAN port. My current goal is for all devices that are connected to OpenWRT to access the Internet via a Mullvad VPN (Wireguard Client on OpenWRT). In addition, I would also like to tunnel into the home network via Wireguard while on the go in order to access the devices there and the outgoing Mullvad VPN.

The connection from the Fritzbox to OpenWRT is established. I created a static route here and it works.

The Mullvad Wireguard client is also already working.

What I can't manage: access from my smartphone to the Wireguard server on the OpenWRT. See here, green dashed line:

Fritzbox-Openwrt
Fritzbox-Openwrt601×839 31 KB

Strictly speaking, the handshake between Wireguard server and peer does not work. In the FritzBox, port 51820 is released for the WAN port of the OpenWRT.
It will probably be a firewall issue in OpenWRT. Somehow this firewall is still too incomprehensible for me.
Where can I look for the error, does anyone have an idea?

Thank you!

2

These are the interfaces and the traffic rule that I have currently created:

13 x 18 cm (2) - 1
13 x 18 cm (2) - 1909×1286 112 KB

3

All of your egress traffic is being routed though the OpenVPN tunnel, so anything coming in from the regular wan kind of gets lost.

You need policy based routing in order to do what you want.

This is, of course, dependent on your wan being a normal public ip address and that you have properly configured wireguard.

We can review your config, if you’d like.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn
1 Like
4

Hey,
thank you for your help. The configurations are below. I do not use OpenVPN, I use Wireguard, so there is no output of cat /etc/config/openvpn

Here are the other data:

"kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd33:6a03:9f91::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.178.1'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option gateway '192.168.178.1'
        option type 'bridge'
        option peerdns '1'
        list ipaddr '192.168.178.2/24'

config interface 'Mullvad'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        list addresses '10.67.37.109/32'
        option force_link '1'

config wireguard_Mullvad
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '185.159.156.77'
        option endpoint_port '51820'

config route
        option interface 'wan'
        option target '192.168.178.0/24'
        option gateway '0.0.0.0'

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        list dns '192.168.178.1'
        option listen_port '51820'
        list addresses '10.100.0.1/24'
        option force_link '1'
        option mtu '1420'

config wireguard_Wireguard
        option description 'Graphene'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '10.100.0.10/32'
        option route_allowed_ips '1'

config device
        option name 'Wireguard'
        option mtu '1420'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'Mullvad'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Mullvad'
        option masq '1'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option family 'ipv4'
        list network 'wan'

(... Default Rules ...)

config forwarding
        option src 'Mullvad'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Von FritzBox'
        option src 'wan'
        option src_dport '80'
        option dest_port '80'
        option dest_ip '192.168.178.2'

config redirect
        option target 'DNAT'
        option name 'DNS-Leaks verhindern'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'

config redirect
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '1234'
        option dest_port '1234'
        list proto 'udp'
        option dest 'lan'
        option dest_ip '10.0.0.1'
        option enabled '0'

config zone
        option name 'Wireguard'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Wireguard'

config forwarding
        option src 'Wireguard'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'Mullvad'

config rule
        option name 'Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
5

So a few thoughts here before I get into the technical stuff:

  1. You are going to need policy based routing to achieve the general goal of creating a wireguard 'server' that can accept connections from your phone or other remote peers while also maintaining a general 'client' configuration with Mullvad.

  2. It seems silly, IMO, to have your phone connect back to your home network for the purposes of then egressing via the Mullvad VPN. Unless you are limited on the number of allowed connections, you should make the connection directly from the phone to Mullvad, and only connect back to your own network when you need to access your own home network resources.

  3. You'll need a public IP address on the wan of the FB5530. Please verify that this is the case. In addition, you need to be able to port forward from the FB to the OpenWrt wan address (192.168.178.2) in order to allow inbound connections to work. Ideally, if you can put your FB5530 into a bridge mode such that it passes your public IP directly to the wan of OpenWrt, that makes things easier, but not a big deal if it can't be done.

Now... onto the technical things:

remove the dns line from below... it doesn't do anything, but it does clutter things up and can cause confusion.

on the wan interface, you shoud explicitly specify the dns server (basically you can move what you had in the lan interface down to here). You can remove the peerdns line because that only applies to DHCP connections.

Remove this:

You can remove the DNS from this wireguard stanza, as it does nothing:

Remove this forwarding, as it doesn't actually produce anythign useful:

This is not necessary at all (unless you plan to access the OpenWrt LuCI web interface from the upstream FB lan). And if that is the case, it should be a traffic rule, not a redirect. Delete this (and optionally create a traffic rule, ask if you need help):

Delete this, it doesn't do anything at all:

Delete this:

If your goal is to send the traffic from your phone through your router and then out to Mullvad, delete this:

Next, let's make sure that your WG 'server' configuration is working. Use your phone -- connected to the OpenWrt network by wifi (thus the phone is on the lan) -- try to initiate a WG connection. For this test, the endpoint address should be 10.0.0.1:51820 (on your phone, in the peer config section). Does it handshake properly?

wg show
6

Thank you very much!

Unfortunately, I can only use a VPN connection on my smartphone at the same time, so I want to use this path of traffic.

I have implemented all the changes.

With the phone in the OpenWRT-Wifi and endpoint address 10.0.0.1:51820 the handshake works immediately and impeccable.

But I don't have an internet connection or access to my home network yet. For this purpose, the policy based routing must be used? I installed pbr app, but it is a little bit too much to configurate.

7

From this initial WG connection, you should actually have internet access. If you don't, something else might be happening.

You'll need at least a ping utility on your phone. Ideally also a traceroute tool.

With the wg interface running on your phone (per the test we did with your phone on the lan), do pings succeeed for the following:

We need to establish these things from the basics, then we can move on to the external access.

8

My mistake, I forgot to put the Wiregard interface in the LAN zone. Now the internet connection with Wiregard enabled goes via the phone (with endpoint address 10.0.0.1:51820).

9

ok... great. So now that this part is working, let's look at the other bits...

On your FB, you need to verify that you have a public IP. I don't know where you'll find that info within the Fritz interface, but please check that now and post the first two octets of the addresss you find (in bold: aaa.bbb.ccc.ddd).

10

The public IP ist 88.150.X.X

Btw.: is this also possible with a DynDNS and a domain?

11

perfect.

Yes. ddns scripts and a ddns provider will do the trick. Because your OpenWrt router is behind another one, you need to make sure it properly detects the actual public IP -- this is an option that you can select where it will send a query to a server and the returned value will be your current IP address.

Now that we know you've got a public IP, we need to make sure your fritzbox forwards UDP port 51820 to 192.168.178.2. Set that up in the FB interface.

Then disable your Mullvad WG client connection and test that you can connect to your WG 'server' from outside your network. This time, your endpoint host will be your actual public IP (88.150.X.X), and you should test this from your phone with cellular.

1 Like
12

The forwarded UDP port 51820 to 192.168.178.2 is set up. I received data from the wg client but the handshake failed. No data transmitted to the client from the wg server.

But i need to sleep, tomorrow is a new day.