Hello,
as the title above says I am trying to get the Proton VPN working with the wireguard VPN protocol. I have used it with openVPN but I have experienced network timeouts for my wifi connection as i was using PBR to route all my PC traffic directly to my ISP and all other devices that are connected to the network via WiFi to go through VPN.
Now I have switched to Wireguard VPN protovol but i have no network acces on my wifi AP. I have only network on my PC as it is routed via the PBR to my ISP directly.
Here is also a github post with more details:
https://github.com/openwrt/openwrt/issues/17293
Best regards,
1 Like
brada4
December 17, 2024, 7:56pm
2
Please help with some data about your setup (cleaning public IPs, mac addresses, keys and other secrets)
ubus call system board
cat /etc/config/network # clean before post
cat /etc/config/firewall
cat /etc/config/pbr
wg show #clean this
Hello,
sure.
root@Jaeger_ZimaBoard_OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "Jaeger_ZimaBoard_OpenWrt",
"system": "Intel(R) Celeron(R) CPU N3350 @ 1.10GHz",
"model": "Default string Default string",
"board_name": "default-string-default-string",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "x86/64",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option mtu '1492'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username 'xxxxxxx'
option password 'xxxxxx'
option ipv6 '0'
option peerdns '0'
option delegate '0'
option sourcefilter '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option auto '0'
option disabled '1'
config interface 'FritzBox'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.1.10'
option netmask '255.255.255.0'
config interface 'ProtonVPNwg0'
option proto 'wireguard'
option private_key 'xxxxxxxxxx'
list addresses 'xxxxxx'
option delegate '0'
list dns '10.2.0.1'
option auto '0'
config wireguard_ProtonVPNwg0
option description 'Imported peer configuration'
option public_key 'xxxxxxxxxx'
option route_allowed_ips '0'
option persistent_keepalive '25'
option endpoint_host 'xxxxx'
option endpoint_port 'xxxxxxx'
list allowed_ips '0.0.0.0/0'
config device
option name 'ProtonVPNwg0'
option mtu '1492'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'FritzBox'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'ProtonVPNFW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option family 'ipv4'
list network 'ProtonVPNwg0'
option mtu_fix '1'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src '*'
option dest 'ProtonVPNFW'
option target 'ACCEPT'
option name 'WAP to VPN'
list src_ip '192.168.2.127'
list src_ip '192.168.2.126'
config rule
option name 'WAP to WAN'
option src '*'
option dest 'wan'
option target 'REJECT'
list src_ip '192.168.2.127'
list src_ip '192.168.2.126'
config forwarding
option src 'lan'
option dest 'ProtonVPNFW'
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.wg_server_and_client'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'Sir_Newis_PC'
option src_addr '192.168.2.100'
option interface 'wan'
config policy
option name 'All_IPs'
option interface 'ProtonVPNwg0'
interface: ProtonVPNwg0
public key: xxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: xxxxx
peer: xxxxxxxxxxxx
endpoint: xxxxxxx
allowed ips: 0.0.0.0/0
latest handshake: 4 hours, 51 minutes, 59 seconds ago
transfer: 276 B received, 892 B sent
persistent keepalive: every 25 seconds
brada4
December 17, 2024, 8:38pm
4
Sir_Newis:
option mtu '1492'
This is too big. Just delete the section and restart wg connection.
Also remove LAN masq line.
It is not too big, it is the same MTU size on my ISP and it works. I also tried without MTU size but still it doesn't work, no network on VPN interface.
brada4
December 17, 2024, 9:33pm
6
Well, you will not find justice trying to fit 40 bytes + src + dst of wg header into 8 bytes.
mk24
December 17, 2024, 9:49pm
7
I think you said wired users (lan) should go by VPN and wireless users should go direct to wan. This means you need to set up a separate network (including its own IP subnet and DHCP server) and firewall zone for the wireless users. This is in addition to a zone for the VPN tunnel, though could instead place the VPN tunnel in the wan zone.
1 Like
@brada4 I deleted the MTU and saved it but still no connection through the interface.
@mk24 The other way around. I want my PC to go through ISP and that part is working and i want all other devices to go through VPN ( all other devices are connected to wireless access point).
I configured my PBR policy to allow my PC to go through ISP and the other devices to go through VPN but for some reason it isn't working. I also watched Dev Odysseys video on wireguard VPN and i did it exactly the same but it isn't working.
I do not need a separate network as this was working fine with openVPN. I want to switch to wireguard as I had network timeouts on openVPN interface between 24-48h and in order to have the connection on wifi i need to reboot the router.
In the moment I am simply out of options as to why it isn't working although the configuration is ok.
brada4
December 17, 2024, 10:45pm
9
Sort of read through answers.
Well, i just made it work. It is just unbelievable what was causing the issue.
I loged in with WinSCP into the router and i found in the /etc/config an openvpn config file, although i deleted the openVPN protocol from the router this file was somehow left inside the config folder. That excat file was causing the issue.
I hope this will help if someone has the same issue.
system
December 27, 2024, 11:00pm
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.