Greetings, I’ve been having a bit of a hell’ish time trying to setup my Raspberry Pi 4 (B) in order to run WireGuard on it (primarily for travel; it being rather small, etc) with the idea of connecting my phone, laptop, etc to the RPi in order for it to function as an Access Point (AP) or a secure WiFi hotspot. Here are some of what I’ve been grappling with and where I’m stuck at the moment,
- I followed the OpenWRT webpage to simply install the latest image (OpenWrt 21.02.1) and get it work (no WireGuard involvement yet); this was a fresh install BTW
- I connected my WAN ethernet cable to the single port and connected the RPi to a keyboard/screen
- I was NOT able to ping anything internal or external
- I had to modify the static IP (defaults to 192.168.1.1) to dynamic/dhcp which got my pings to go through
- (humble opinion) I'm not a fan of having a dynamic IP address for my router as that, in my limited experience, tends to complicate things needlessly (/humble opinion)
- I enabled WiFi and was able to connect to the RPi and all was working (though I had no idea what the RPi’s IP address is in order to muck around with LuCI – ‘ifconfig -a’ on the console gave me that info - this will certainly be a headache moving forward)
- So everything was functioning now, the RPi is able to ping things on its own (via console) and is working fine as an AP (ie. WiFi)
- I then installed WireGuard following the instructions noted for a client (I’ve done this before) and all the appropriate interfaces seem to have come-up OK; here’s where it gets interesting
- I can surf the web just fine from both RPi and my laptop (connected to the RPi’s AP) but my IP isn’t being obfuscated/hidden. Its as though the vpn is not running, but it is.
- I ran some debug and I can see, through traceroute, that the wireguard connection is getting established just fine yet I’m at a loss as to what to do next and/or why my IP continues to note my local ISP IP address. I’m including below some “relevant” info below for comment/guidance. I suspect my routing or firewall are messed-up and going through the documentation has only gotten me more confused - argh !
I’d really appreciate any help...
Feel free to ask if I've missed anything relevant or you'd like to see a dump/log of something in particular.
A. Initially, I wanted to get this accomplished - I wasn't able to and so abandoned the effort.
wifi wired wan mobile-phone <~.~.~.~.~> (wlan0)RPi(eth0) <---------> router <-----> INTERNET \ / \ / (dhcp) 192.168.10.1 192.168.70.8 192.168.70.1
B. This is the current "working" situation - my issue now is that WireGuard is not working properly.
RPi wifi ┌─────bridge───────┐ wired wan mobile-phone <.~.~.~.~> │(wlan0) br0 (eth0)│ <-------> router <-----> INTERNET \ | / (dhcp (dhcp DHCP-server - 192.168.70.1 from router) from router - 192.168.70.8)
-- Info - bits from /etc/config/network
config interface 'vpn' option proto 'wireguard' option private_key '_REMOVED_' list addresses '198.19.3.134/16' config wireguard_vpn 'wgserver' option public_key '_REMOVED_' option endpoint_host '220.127.116.11' option endpoint_port '32381' option route_allowed_ips '1' option persistent_keepalive '25' list allowed_ips '0.0.0.0/0' list allowed_ips '::/0'
-- root@OpenWrt:~# route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default * 0.0.0.0 U 0 0 0 vpn 18.104.22.168 192.168.70.1 255.255.255.255 UGH 0 0 0 br-lan 192.168.70.0 * 255.255.255.0 U 0 0 0 br-lan 198.19.0.0 * 255.255.0.0 U 0 0 0 vpn
-- root@OpenWrt:~# ip route
default dev vpn scope link 22.214.171.124 via 192.168.70.1 dev br-lan 192.168.70.0/24 dev br-lan scope link src 192.168.70.8 198.19.0.0/16 dev vpn scope link src 198.19.3.134
-- root@OpenWrt:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000 link/ether dc:a6:32:f2:fd:18 brd ff:ff:ff:ff:ff:ff 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000 link/ether dc:a6:32:f2:fd:19 brd ff:ff:ff:ff:ff:ff inet6 fe80::dea6:32ff:fef2:fd19/64 scope link valid_lft forever preferred_lft forever 7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether dc:a6:32:f2:fd:18 brd ff:ff:ff:ff:ff:ff inet 192.168.70.8/24 brd 192.168.70.255 scope global br-lan valid_lft forever preferred_lft forever inet6 fd1c:991c:6ab0::1/60 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::dea6:32ff:fef2:fd18/64 scope link valid_lft forever preferred_lft forever 9: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000 link/ inet 198.19.3.134/16 brd 198.19.255.255 scope global vpn valid_lft forever preferred_lft forever
-- root@OpenWrt:~# traceroute google.com
traceroute to google.com (126.96.36.199), 30 hops max, 46 byte packets 1 198.19.0.1 (198.19.0.1) 260.039 ms 259.998 ms 260.079 ms 2 v111.ce02.phx-01.us.leaseweb.net (188.8.131.52) 260.962 ms v111.ce01.phx-01.us.leaseweb.net (184.108.40.206) 260.612 ms v111.ce02.phx-01.us.leaseweb.net (220.127.116.11) 261.278 ms 3 ae-1.br01.phx-01.us.leaseweb.net (18.104.22.168) 260.726 ms be-2.br02.phx-01.us.leaseweb.net (22.214.171.124) 260.070 ms ae-1.br01.phx-01.us.leaseweb.net (126.96.36.199) 260.056 ms 4 phx-b1-link.ip.twelve99.net (188.8.131.52) 261.275 ms 261.602 ms 262.867 ms 5 fjr04s08-in-f14.1e100.net (184.108.40.206) 508.296 ms 508.649 ms 507.425 ms
root@OpenWrt:~# pgrep -f -a wg; wg show; wg showconf vpn
3332 wg-crypt-vpn 3936 kworker/1:2-wg- 3975 kworker/2:1-wg- interface: vpn public key: _REMOVED_ private key: (hidden) listening port: 42055 peer: _REMOVED_ endpoint: 220.127.116.11:32381 allowed ips: 0.0.0.0/0, ::/0 latest handshake: 15 seconds ago transfer: 10.68 KiB received, 22.25 KiB sent persistent keepalive: every 25 seconds [Interface] ListenPort = 42055 PrivateKey = _REMOVED_ [Peer] PublicKey = _REMOVED_ AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 18.104.22.168:32381 PersistentKeepalive = 25