I have an OpenWrt router and an Android smartphone.
I have set up the Wireguard on the phone, I have added the wireguard interface on the router.
The phone wireguard settings are as follow:
name: wg2
public key: phone public key
Addresses: 172.16.0.2/32
Peer:
Public key: router public key
Allowed IPs:
192.168.1.0/24, 172.16.0.0/24
Endpoint: my public IP address on the router, provided by my ISP (it’s static) port 51822
The router which has the local devices on 192.168.1.0/24 range, has the wg2 interface which is as follows:
IPv4: 172.16.0.0/24
Listen port: 51822
Public key which matches the one in Peer on the smartphone wg2 interface
For Peers:
I have added the public key of the smartphone wg2 interface
Allowed IP: 172.16.0.2/32
I also have another wireguard interface (wg) which serves as an endpoint for a commercial VPN provider, all the local devices (relative to the router) are essentially using the tunnel.
My goal: is to bypass wg (commercial VPN) and be able to use wg2 without the handshake and all the traffic going through wg (commercial VPN). I do not want a VPN within a VPN, I know that would not work with my VPN provider, besides, it will also induce a lot of latency.
/etc/config/network:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth4'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth4'
option reqaddress 'try'
option reqprefix 'auto'
option auto '0'
config interface 'wg'
option proto 'wireguard'
option private_key 'wg-privatekey-censored'
list addresses '10.XX.XX.XXX/32'
list dns 'VPN.DNS.IP.ADDR'
config wireguard_wg
option description 'VPN1'
option public_key 'PUBLIC-KEY'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'VPN.PROVIDER.SERVER.IP'
option endpoint_port '51820'
config device
option name 'eth4'
option macaddr 'AA:BB:CC:DD:EE:FF'
config interface 'wg2'
option proto 'wireguard'
option private_key 'PRIVATE-KEY-WG2-CENSORED'
option listen_port '51822'
list addresses '172.16.0.1/24'
config wireguard_wg2
option description 'PHONE'
option public_key 'PHONE-PUBLIC-KEY-CENSORED'
list allowed_ips '172.16.0.2/32'
Firewall settings on the router, with some additional rules:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network '4G'
list network 'wwan'
config rule
list proto 'udp'
option src 'wan'
option dest_port '51822'
option target 'ACCEPT'
option dest '*'
option name 'Allow-WG2-WAN-to-Router'
config rule
option name 'Allow-WG-UDP'
list proto 'udp'
option src 'wan'
option dest_port '51822'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg'
config forwarding
option src 'lan'
option dest 'wg'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'wg2'
option output 'ACCEPT'
list network 'wg2'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'wg2'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg2'
config forwarding
option src 'lan'
option dest 'wan'
I have tried setting up routes but nothing seems to work:
echo "200 wg_out" >> /etc/iproute2/rt_tables
ip route add default via XXX.XXX.XXX.1 dev eth4 table wg_out
ip rule add fwmark 0x1 table wg_out
iptables -t mangle -A PREROUTING -p udp --dport 51822 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p udp --dport 51822 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --sport 51822 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p udp --sport 51822 -j MARK --set-mark 1
Here are some additional details (where XXX.XXX.XXX is my ISP's network and YYY.YYY.YYY is my VPN provider's network):
root@OpenWrt:~# ip -4 route show
default dev wg proto static scope link
XXX.XXX.XXX.0/24 dev eth4 proto kernel scope link src XXX.XXX.XXX.125
YYY.YYY.YYY.YYY via XXX.XXX.XXX.1 dev eth4 proto static
172.16.0.0/24 dev wg2 proto kernel scope link src 172.16.0.1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
root@OpenWrt:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP mode DEFAULT group default qlen 1000
link/ether AA:BB:CC:DD:EE:01 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN mode DEFAULT group default qlen 1000
link/ether AA:BB:CC:DD:EE:02 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN mode DEFAULT group default qlen 1000
link/ether AA:BB:CC:DD:EE:03 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN mode DEFAULT group default qlen 1000
link/ether AA:BB:CC:DD:EE:04 brd ff:ff:ff:ff:ff:ff
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether FF:FF:FF:FF:FF:FF brd ff:ff:ff:ff:ff:ff permaddr AA:AA:AA:AA:AA:AA
9: wwan0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/none
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether AA:BB:CC:DD:EE:01 brd ff:ff:ff:ff:ff:ff
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
link/ether 11:22:33:44:55:01 brd ff:ff:ff:ff:ff:ff
18: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
link/ether 11:22:33:44:55:02 brd ff:ff:ff:ff:ff:ff
20: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
22: wg2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
What am I doing wrong because I get no handshake, even when the smartphone is directly connected to the router via wifi and has a local ip as defined by the lan interface (i.e. part of the 192.168.1.0/24 range)
other than that, wg (commercial VPN) is functioning as intended. I suppose it might be something with the firewall configuration, though I have added necessary rules for port 51822?
And one more thing, I have added DHCP-Options in the Advanced Settings for DHCP Server for LAN interface. Not sure if this is relevant but really shouldn’t be as I use it to advertise VPN provider’s DNS. I have also enabled “Ignore resolv file” in dnmasq settings but again I do not think this is relevant…