Router connected to a remote server routing all LAN traffic through the tunnel

Hello

I am having problems with an openwrt router connecting to a remote server.
What I'm trying to do is to connect the router to a proxy server in Linode, and routing all the traffic from the LAN to the proxy.
I tried some apps like redsocks, squid, wireguard, among others and I can't get it. The only I get is the tunnel opened in the router and then either through proxy setup in firefox or setting the proxy globally in a laptop connected to the router I make it work.

I'm not a network expert and I'm somehow now stuck after trying many things.
Is it possible to do btw? how can I do it? I didn't see anyone in the forum discussing this project.
Thanks for your time, I hope I hear from someone soon
Cheers

I would recommend wireguard. In order to help, we will need to see your configs. But before you start, I’d recommend that you reset your openwrt device and your remote server to defaults and then configure wireguard and any other odds and ends. This way we are not dealing with a bunch of stuff happening that could conflict.

Once that is all done, we can review your configs.

After resetting the router and creating a fresh proxy server the last thing I tried is this:
https://upcloud.com/resources/tutorials/get-started-wireguard-vpn
I get stuck when trying to start the connection with sudo wg-quick up wg0 but openwrt doesn't recognise the command and I installed wireguard-tools in it

Did you try using the openwrt process and documentation?? The tutorial you followed has nothing to do with openwrt. So it surprising it didn’t work.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

Ok, I'll try tomorrow, but after having a look to it; the keys for the server are created also in the router? (which is the client) and then I need to send them to the server (?). I used to create the keys for the server in the server and viceversa. And then I need to setup the server but that's a different way (like the previous upcloud web explains)?
Thanks for the help and sorry for my ignorance, also after some days trying many things my brain is a mess
Cheers

You can create the keys all on one side or the other, or each side creates their own. It doesn’t matter as long as the public keys are exchanged properly.

I followed that process for the client and then I did the next for the remote ubuntu server after installing wireguard in it:

sudo nano /etc/wireguard/wg0.conf with the next content

[Interface]
Address = 192.168.9.1/24
ListenPort = 51820
PrivateKey = privateserverkeyblablabla…

[Peer]
PublicKey = publicclientkeyblablalblabla…
AllowedIPs = 192.168.9.2/24

sudo ufw allow 51820/udp
sudo ufw status (it seems good)
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
sysctl -p /etc/sysctl.d/10-wireguard.conf
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0

And what I have now is an unstable router with no internet, I can't connect to the router

That shouldn't have happened unless there are errors in your config.

Since you said you cannot connect to the router, you'll want to use failsafe mode to regain access. You can use this to view/edit the existing config and/or reset to defaults. The directions are here:

https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

Assuming you don't reset to defaults, let's take a look at your configuration as it exists now:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

The problem comes after I try to route the traffic from the LAN through the tunnel, before I forward the traffic I ping both sides, I do "sudo wg" and it works. Every "experiment" that I do cuts the connection to any outside.

I repeated that procedure, from reset and default router parameters, only bridging the wireless network. I still have connection to the router but not outside and here is what I get:

ubus call system board

{
	"kernel": "4.4.60",
	"hostname": "GL-AXT1800",
	"system": "ARMv7 Processor rev 4 (v7l)",
	"model": "GL Technologies, Inc. AXT1800",
	"board_name": "glinet,axt1800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r16399+173-c67509efd7",
		"target": "ipq807x/ipq60xx",
		"description": "OpenWrt 21.02-SNAPSHOT r16399+173-c67509efd7",
		"tip-revision": "OpenWrt 21.02-SNAPSHOT r16399+173-c67509efd7 / TIP-devel-35d2b3aa",
		"tip-version": "devel"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd59:7e64:b3a9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	option macaddr '94:83:c4:37:30:aa'

config device
	option name 'eth1'
	option macaddr '94:83:c4:37:30:aa'

config device
	option name 'eth2'
	option macaddr '94:83:c4:37:30:aa'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth0'
	option macaddr '94:83:c4:37:30:a9'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option disabled '1'

config switch
	option name 'switch0'
	option reset '0'
	option enable_vlan '0'

config interface 'tethering6'
	option device '@tethering'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'wwan6'
	option device '@wwan'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '1'

config interface 'modem_1_1_2_6'
	option ifname '@modem_1_1_2'
	option proto 'dhcpv6'
	option disabled '1'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'SKbrbRf7fdmFhPling3u5bIv+0owCkKGVhGLueUxQFY='
	list addresses '10.0.0.1/24'

config wireguard_wg0 'wgserver'
	option public_key 'L4H++ISWcJHP3MwAZ4qLJelVTD0s2ngmJwZLHyMfUDs='
	option preshared_key '4dRzTImJgI2XJLDkWtRTXT4/gBpncCs5DcRIGVjwMG0='
	option endpoint_host '172.235.157.221'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'
	option hostname '*'
	option mtu '1500'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option band '5g'
	option htmode 'HE80'
	option country 'DE'
	option random_bssid '1'
	option disabled '0'
	option channel 'auto'
	option channels '36,40,44,48'
	option legacy_rates '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'BE:B2:1D:4F:9B:74'
	option ssid 'GL-AXT1800-0a9-5G'
	option encryption 'psk2'
	option key '4QTSWJE923'
	option wds '1'
	option isolate '0'
	option ifname 'wlan1'
	option ieee80211k '1'
	option bss_transition '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option band '2g'
	option country 'DE'
	option random_bssid '1'
	option disabled '0'
	option channel 'auto'
	option htmode 'HE40'
	option legacy_rates '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '82:7F:25:12:EB:41'
	option ssid 'GL-AXT1800-0a9'
	option encryption 'psk2'
	option key '4QTSWJE923'
	option wds '1'
	option isolate '0'
	option ifname 'wlan0'
	option ieee80211k '1'
	option bss_transition '1'

config wifi-iface 'guest5g'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan1-1'
	option encryption 'psk2'
	option key 'goodlife'
	option ssid 'GL-AXT1800-0a9-5G-Guest'
	option macaddr '0E:12:CD:9B:D2:7D'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'

config wifi-iface 'guest2g'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ifname 'wlan0-1'
	option encryption 'psk2'
	option key 'goodlife'
	option ssid 'GL-AXT1800-0a9-Guest'
	option macaddr 'DA:10:84:34:F4:55'
	option guest '1'
	option disabled '1'
	option wds '1'
	option isolate '1'

config wifi-iface 'sta'
	option mode 'sta'
	option ifname 'sta0'
	option device 'radio0'
	option network 'wwan'
	option ssid 'MIWIFI_qckp'
	option bssid 'a0:18:42:2d:a6:ce'
	option macaddr 'DA:EE:70:2A:BE:34'
	option key 'password1265433'
	option encryption 'psk2'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra_slaac '1'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'wg0'
	option output 'ACCEPT'
	option forward 'REJECT'

Another thing that I question is; I tried configurations in the server setting the public IP of the router, other configurations without it. Is it necessary to setup that static IP? because the plan is to travel with the router so the IP would be dynamic every place I go

You appear to be running the vendor firmware (from gl-inet). You need to ask them for help if you are running their firmware since they have made major modifications to how openwrt functions - it is no longer the same as the official Openwrt.

Your device is not supported by the official project, otherwise I would suggest that you install firmware from here and then we could help you on these forums.