PBR Wireguard client + server scenario 2

openwrtlove · September 11, 2021, 4:57pm

I want to install a Wireguard server on the home network to connect from the outside, and let traffic going outside go through mullvad vpn.

Therefore, I followed the two guides below.

mullvad vpn client

wireguard server scenario2 (Scenario 1 was told that it was not working properly, so scenario 2 was performed.)

However, the wireguard server is not working properly. When connected to a mobile phone, it is observed that a handshake is transmitted and received from openwrt, but no reply(RX) is received from the mobile phone.

As a result of searching the Openwrt forum, Scenario 2 works if you disable 'Route Allowed ips' of the Mullvad client to 0, and then keep the allowed IP at '0.0.0.0/0', but if you actually disable this option to 0, the Mullvad client does not work. (Even if allowed IP does not stay at '0.0.0.0/0'. )

If the 'route allowed ips' option on the pullvad client is disabled to zero and the client becomes inoperative, the VPN server connects normally.

It seems that Mullvad's guide also emphasized keeping the 'Route Allowed ips' option at 1.

Even after disabling this option to 0, I wonder if there is a way to operate the mulvad client or if there is another solution.

Next is my setting
In the firewall, VPNC is a vpn client and VPNS is a VPN server.

/etc/config/vpn-policy-routing

config policy
        option interface 'wan'
        option name 'Wireguard Server'
        option src_port '61820'
        option proto 'udp'
        option chain 'FORWARD'

config policy
        option name 'IGNORE Local Trrafic'
        option interface 'ignore'
        option dest_address '192.168.99.0/24'
        option dest_addr '192.168.99.0/24'
        option chain 'OUTPUT'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        option resolver_ipset 'none'
        list ignored_interface 'vpn'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

(Even if you delete the 'Wireguard Server' of the PBR policy, it still does not work.)

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src '*'
        option dest_port '61820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VPNC'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        list network 'VPNC'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'VPNC'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'vpn'
        option name 'VPNS'

config forwarding
        option dest 'VPNC'
        option src 'VPNS'

config forwarding
        option dest 'lan'
        option src 'VPNS'

config forwarding
        option dest 'wan'
        option src 'VPNS'

/etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<HIDE>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '<HIDE>'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<HIDE>'
        option listen_port '61820'
        list addresses '192.168.99.1'

config wireguard_vpn
        option persistent_keepalive '25'
        option preshared_key '<HIDE>'
        option public_key '<HIDE>'
        list allowed_ips '192.168.99.3/32'
        option route_allowed_ips '1'

config interface 'VPNC'
        option proto 'wireguard'
        option private_key '<HIDE>'
        list addresses '<HIDE>'
        list addresses '<HIDE>'
        option mtu '1420'
        option force_link '1'
        option peerdns '0'
        list dns '<HIDE>'

config wireguard_VPNC
        option public_key '<HIDE>'
        option persistent_keepalive '25'
        option endpoint_host '<HIDE>'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option route_allowed_ips '1'

Current version : OpenWrt 21.02.0
Many thanks in advance for the assistance.

trendy · September 11, 2021, 6:16pm

chain must be OUTPUT, as the WG server is running on the OpenWrt.
Other than that you haven't configured any policy to forward traffic to the Mullvad vpn.
VPNS zone seems redundant and doesn't need masquerade. You can assign the vpn server interface under lan zone.

openwrtlove · September 11, 2021, 8:31pm

Thank you for your answer
After adding the following policies, the chain and masquerading options were modified, but they did not work.

config policy
        option name 'Fr'
        option interface 'VPNC'
        option chain 'INPUT'
        option src_port '61820'

When the Mullvad client is connected to the Mullvad server and works, the following logs are observed when connected to the wireguard (VPNS) server from the outside, and the openwrt administrator page or NAS within the LAN is not accessible.

[NET] Routine: receive incoming v4 - Stopped
[NET] Routine: receive incoming v4 - Stopped
[NET] UDP bind has been updated
[NET] Routine: receive incoming v4 - Started
[NET] Routine: receive incoming v4 - Started
[NET] perr(<hide>) - Sending handshake initation
[APP] Status update notification timeout for tunnel '<hide>', Tunnel status is now 'connected'

trendy · September 11, 2021, 9:25pm

This policy is missing the interface and uses wrong chain, should be OUTPUT.

openwrtlove · September 14, 2021, 9:49pm

Access has become possible from outside. Thank you!

However, there is a DNS leak problem. Even if I try DHCP or DNS forwarding settings, it still seems to be the same.

The following is the policy routing I set up.

config policy
       option name 'Ignore Local Traffic'
       option dest_address '192.168.99.0/24'
       option interface 'wan'

config policy
       option dest_addr '0.0.0.0/0'
       option interface 'VPNC'

trendy · September 15, 2021, 10:41am

The first policy should use "ignore" as interface. Don't you have this option?
Regarding the dns leak make sure you are not using dns over https or some other method of bypassing the assigned nameservers.

openwrtlove · September 16, 2021, 8:00pm

DNS leak occurs even when the ignore option is applied. However, if the custom DNS is applied to the WAN, there will be no DNS leakage occurs.

There seems to be a problem with WAN, but I don't know. Applying DNS server to WAN and rebooting does not forward traffic to mullvad.

trendy · September 16, 2021, 8:41pm

Better open a new topic for the DNS leak, if the PBR with client and server works fine.

system · September 26, 2021, 8:41pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.