I want to install a Wireguard server on the home network to connect from the outside, and let traffic going outside go through mullvad vpn.
Therefore, I followed the two guides below.
mullvad vpn client
wireguard server scenario2 (Scenario 1 was told that it was not working properly, so scenario 2 was performed.)
However, the wireguard server is not working properly. When connected to a mobile phone, it is observed that a handshake is transmitted and received from openwrt, but no reply(RX) is received from the mobile phone.
As a result of searching the Openwrt forum, Scenario 2 works if you disable 'Route Allowed ips' of the Mullvad client to 0, and then keep the allowed IP at '0.0.0.0/0', but if you actually disable this option to 0, the Mullvad client does not work. (Even if allowed IP does not stay at '0.0.0.0/0'. )
If the 'route allowed ips' option on the pullvad client is disabled to zero and the client becomes inoperative, the VPN server connects normally.
It seems that Mullvad's guide also emphasized keeping the 'Route Allowed ips' option at 1.
Even after disabling this option to 0, I wonder if there is a way to operate the mulvad client or if there is another solution.
Next is my setting
In the firewall, VPNC is a vpn client and VPNS is a VPN server.
/etc/config/vpn-policy-routing
config policy
option interface 'wan'
option name 'Wireguard Server'
option src_port '61820'
option proto 'udp'
option chain 'FORWARD'
config policy
option name 'IGNORE Local Trrafic'
option interface 'ignore'
option dest_address '192.168.99.0/24'
option dest_addr '192.168.99.0/24'
option chain 'OUTPUT'
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option resolver_ipset 'none'
list ignored_interface 'vpn'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
(Even if you delete the 'Wireguard Server' of the PBR policy, it still does not work.)
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule 'wg'
option name 'Allow-WireGuard'
option src '*'
option dest_port '61820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'VPNC'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
list network 'VPNC'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'VPNC'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'vpn'
option name 'VPNS'
config forwarding
option dest 'VPNC'
option src 'VPNS'
config forwarding
option dest 'lan'
option src 'VPNS'
config forwarding
option dest 'wan'
option src 'VPNS'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<HIDE>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '<HIDE>'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option proto 'wireguard'
option private_key '<HIDE>'
option listen_port '61820'
list addresses '192.168.99.1'
config wireguard_vpn
option persistent_keepalive '25'
option preshared_key '<HIDE>'
option public_key '<HIDE>'
list allowed_ips '192.168.99.3/32'
option route_allowed_ips '1'
config interface 'VPNC'
option proto 'wireguard'
option private_key '<HIDE>'
list addresses '<HIDE>'
list addresses '<HIDE>'
option mtu '1420'
option force_link '1'
option peerdns '0'
list dns '<HIDE>'
config wireguard_VPNC
option public_key '<HIDE>'
option persistent_keepalive '25'
option endpoint_host '<HIDE>'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
Current version : OpenWrt 21.02.0
Many thanks in advance for the assistance.