Hi,
I am not a pro so I am really proud of me I managed to set up the bpi-r4 - except a working killswitch for my VPN.
I like to achieve all traffic going through my Mullvad VPN.
I added a new interface and imported Mullvads configuration file into it:
When I add "wan" to the forwarding
"lan" -> "wgclient"
for it to say
"lan" -> "wgclient", "wan"
then I have access to the internet but without VPN.
As soon as I remove wan from that forwarding internet access is gone.
That is the only thing you need for a killswitch as a killswitch means no traffic from lan > wan
The fact it does not work is because your tunnel is not working so you do not have internet traffic just as you want
So check your mullvad settings for the tunnel or show us your configs:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Really appreciate your reply! Thanks a lot for taking your time.
I already thought it could be an error in my Mullvad configuration so I tried the same configuration on my phone and it worked flawlessly - that is why I ended up thinking it has to be a firewall setting.
These are the outputs:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.71",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 0",
"model": "Bananapi BPI-R4",
"board_name": "bananapi,bpi-r4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10-SNAPSHOT",
"revision": "r0+28339-68bf4844a1",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10-SNAPSHOT r0+28339-68bf4844a1",
"builddate": "1736845778"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5b:fa11:d4ec::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'eth1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
list ports 'eth2'
list ports 'wan'
list ports 'eth2'
config device
option name 'wan'
option macaddr '[ANONYMIZED_MAC]'
config device
option name 'eth2'
option macaddr '[ANONYMIZED_MAC]'
config device
option name 'wan'
option macaddr '[ANONYMIZED_MAC]'
config device
option name 'eth2'
option macaddr '[ANONYMIZED_MAC]'
config interface 'wan'
option device 'br-wan'
option proto 'static'
option ipaddr '192.168.179.253'
option netmask '255.255.255.0'
option gateway '192.168.179.254'
list dns '192.168.179.254'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config interface 'wgclient'
option proto 'wireguard'
option private_key '[ANONYMIZED]'
list addresses '10.72.242.135/32'
list addresses 'fc00:bbbb:bbbb:bb01::9:f286/128'
list dns '10.64.0.1'
config wireguard_wgclient
option description 'Imported peer configuration'
option public_key 'XgSe9UwEV4JJNPPzFFOVYS6scMTL4DeNlwqBl32lDw0='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '[ANONYMIZED_IP]'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'wgclient'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wgclient'
config forwarding
option src 'lan'
option dest 'wgclient'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
root@OpenWrt:~# wg show
interface: wgclient
public key: 8SmF8Hp/fsGaYNFYMC0A1XOo/Sjq4qZj7EBH9B/s+Ak=
private key: (hidden)
listening port: 46114
peer: XgSe9UwEV4JJNPPzFFOVYS6scMTL4DeNlwqBl32lDw0=
endpoint: [ANONYMIZED_IP]:51820
allowed ips: 0.0.0.0/0, ::/0
There are some settings which need attention, but even with your settings the WireGuard client should make a connection which it clearly does not as shown by wg show
One culprit could be if your phone is still active with the same Mullvad config, so make sure your phone is not using WireGuard with this same config.
But if the keys you showed with wg show are the real ones you should make another config file altogether because you do not want those keys in the open
To be sure that your regular setup is working, if you disable WireGuard and reboot the router, you do have fully functional internet including DNS resolution?
For the settings I would recommend the following:
Most important add option route_allowed_ips '1':
Remove option masq '1'
Set option input and option forward to 'REJECT' Mullvad is a commercial provider and you do not want them to be able to peek into your network
Reboot after changing and test again with 'wg show` it should show a handshake
Thanks again, really
Did all what you said:
wg show now shows this:
root@OpenWrt:~# wg show
interface: wgclient
public key: 8SmF8Hp/fsGaYNFYMC0A1XOo/Sjq4qZj7EBH9B/s+Ak=
private key: (hidden)
listening port: 37798
peer: XgSe9UwEV4JJNPPzFFOVYS6scMTL4DeNlwqBl32lDw0=
endpoint: *anonymizedIPandPORT*
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 59 seconds ago
transfer: 348 B received, 436 B sent
But internet via VPN still not working.
I added "wan" to the forwarding zone of lan - wgclient. That is what I used to successfully test the general internet connection. Or do you mean I shall disable wireguard somewhere else completely?
And I now removed the wireguard client from my phone for double usage not to be the root of the problem.
That looks good you have a handshake and some traffic.
So is everything working as desired?
What I meant to test the general internet connection is to disable WireGuard and add forwarding from LAN to WAN:
But as it now seems everything is working there is no need to test that any more
Oh one small thing, you seem to have duplicate port settings, not sure where those come from and it probably does not hurt but I would remove those see:
Unfortunately not at all
Internet via VPN still not working.
Edit:
When I type wg show now it shows last handshake was 30 minutes ago and no more data has been transferred (still same amounts of data as 30 minutes ago)
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
wg show
(...)
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'eth1'
(...)
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
list ports 'eth2'
(...)
Next to make sure there is no DNS problem add a public DNs server to make sure we always got function DNS if everything works we can remove it
Add to the WireGuard interface: list dns '9.9.9.9'
root@OpenWrt:~# wg show
interface: wgclient
public key: XQEaT9YcFtJVOUDvF9+3wKLpaAeWP+kw5bTz510piX4=
private key: (hidden)
listening port: 58635
peer: XgSe9UwEV4JJNPPzFFOVYS6scMTL4DeNlwqBl32lDw0=
endpoint: 185.254.75.5:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 57 seconds ago
transfer: 532 B received, 1.33 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:~# ip route show
default dev wgclient proto static scope link
185.254.75.5 via 192.168.179.254 dev br-wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.179.0/24 dev br-wan proto kernel scope link src 192.168.179.253
I had to do the ping and trace route via webif because ssh stops working regularly:
Connection to root@192.168.1.1:22 exited: Connect failed: Software caused connection abort
OK your BananaPi has I think two interfaces on the WAN not sure how that actually works but to make sure it is not something wrong in the setup regarding that change default OUTPUT to ACCEPT
Reboot and test again if you can ping 8.8.8.8
If that does not help add to the firewall:
config forwarding
option src 'lan'
option dest 'wan'
