Greetings, I’ve been having a bit of a hell’ish time trying to setup my Raspberry Pi 4 (B) in order to run WireGuard on it (primarily for travel; it being rather small, etc) with the idea of connecting my phone, laptop, etc to the RPi in order for it to function as an Access Point (AP) or a secure WiFi hotspot. Here are some of what I’ve been grappling with and where I’m stuck at the moment,
- I followed the OpenWRT webpage to simply install the latest image (OpenWrt 21.02.1) and get it work (no WireGuard involvement yet); this was a fresh install BTW
- I connected my WAN ethernet cable to the single port and connected the RPi to a keyboard/screen
- I was NOT able to ping anything internal or external
- I had to modify the static IP (defaults to 192.168.1.1) to dynamic/dhcp which got my pings to go through
- (humble opinion) I'm not a fan of having a dynamic IP address for my router as that, in my limited experience, tends to complicate things needlessly (/humble opinion)
- I enabled WiFi and was able to connect to the RPi and all was working (though I had no idea what the RPi’s IP address is in order to muck around with LuCI – ‘ifconfig -a’ on the console gave me that info - this will certainly be a headache moving forward)
- So everything was functioning now, the RPi is able to ping things on its own (via console) and is working fine as an AP (ie. WiFi)
- I then installed WireGuard following the instructions noted for a client (I’ve done this before) and all the appropriate interfaces seem to have come-up OK; here’s where it gets interesting
- I can surf the web just fine from both RPi and my laptop (connected to the RPi’s AP) but my IP isn’t being obfuscated/hidden. Its as though the vpn is not running, but it is.
- I ran some debug and I can see, through traceroute, that the wireguard connection is getting established just fine yet I’m at a loss as to what to do next and/or why my IP continues to note my local ISP IP address. I’m including below some “relevant” info below for comment/guidance. I suspect my routing or firewall are messed-up and going through the documentation has only gotten me more confused - argh !
I’d really appreciate any help...
Feel free to ask if I've missed anything relevant or you'd like to see a dump/log of something in particular.
Detailed info and Various Logs
A. Initially, I wanted to get this accomplished - I wasn't able to and so abandoned the effort.
wifi wired wan
mobile-phone <~.~.~.~.~> (wlan0)RPi(eth0) <---------> router <-----> INTERNET
\ / \ /
(dhcp) 192.168.10.1 192.168.70.8 192.168.70.1
B. This is the current "working" situation - my issue now is that WireGuard is not working properly.
RPi
wifi ┌─────bridge───────┐ wired wan
mobile-phone <.~.~.~.~> │(wlan0) br0 (eth0)│ <-------> router <-----> INTERNET
\ | /
(dhcp (dhcp DHCP-server - 192.168.70.1
from router) from router - 192.168.70.8)
-- Info - bits from /etc/config/network
config interface 'vpn'
option proto 'wireguard'
option private_key '_REMOVED_'
list addresses '198.19.3.134/16'
config wireguard_vpn 'wgserver'
option public_key '_REMOVED_'
option endpoint_host '23.183.129.11'
option endpoint_port '32381'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
-- root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 vpn
23.183.129.11 192.168.70.1 255.255.255.255 UGH 0 0 0 br-lan
192.168.70.0 * 255.255.255.0 U 0 0 0 br-lan
198.19.0.0 * 255.255.0.0 U 0 0 0 vpn
-- root@OpenWrt:~# ip route
default dev vpn scope link
23.183.129.11 via 192.168.70.1 dev br-lan
192.168.70.0/24 dev br-lan scope link src 192.168.70.8
198.19.0.0/16 dev vpn scope link src 198.19.3.134
-- root@OpenWrt:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
link/ether dc:a6:32:f2:fd:18 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether dc:a6:32:f2:fd:19 brd ff:ff:ff:ff:ff:ff
inet6 fe80::dea6:32ff:fef2:fd19/64 scope link
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether dc:a6:32:f2:fd:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.8/24 brd 192.168.70.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd1c:991c:6ab0::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::dea6:32ff:fef2:fd18/64 scope link
valid_lft forever preferred_lft forever
9: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 198.19.3.134/16 brd 198.19.255.255 scope global vpn
valid_lft forever preferred_lft forever
-- root@OpenWrt:~# traceroute google.com
traceroute to google.com (142.250.181.110), 30 hops max, 46 byte packets
1 198.19.0.1 (198.19.0.1) 260.039 ms 259.998 ms 260.079 ms
2 v111.ce02.phx-01.us.leaseweb.net (23.183.129.61) 260.962 ms v111.ce01.phx-01.us.leaseweb.net (23.183.129.60) 260.612 ms v111.ce02.phx-01.us.leaseweb.net (23.183.129.61) 261.278 ms
3 ae-1.br01.phx-01.us.leaseweb.net (173.208.127.2) 260.726 ms be-2.br02.phx-01.us.leaseweb.net (173.208.127.8) 260.070 ms ae-1.br01.phx-01.us.leaseweb.net (173.208.127.2) 260.056 ms
4 phx-b1-link.ip.twelve99.net (62.115.165.76) 261.275 ms 261.602 ms 262.867 ms
5 fjr04s08-in-f14.1e100.net (142.250.181.110) 508.296 ms 508.649 ms 507.425 ms
root@OpenWrt:~# pgrep -f -a wg; wg show; wg showconf vpn
3332 wg-crypt-vpn
3936 kworker/1:2-wg-
3975 kworker/2:1-wg-
interface: vpn
public key: _REMOVED_
private key: (hidden)
listening port: 42055
peer: _REMOVED_
endpoint: 23.183.129.11:32381
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 15 seconds ago
transfer: 10.68 KiB received, 22.25 KiB sent
persistent keepalive: every 25 seconds
[Interface]
ListenPort = 42055
PrivateKey = _REMOVED_
[Peer]
PublicKey = _REMOVED_
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 23.183.129.11:32381
PersistentKeepalive = 25