i'm confused and having problem to setup interface of LAN and WAN. I'm not sure which should i put as static ip and which should i put as DHCP server. And which to put as Br-Lan, Eth 0 and Eth 1.
When i connect a laptop to RPI through ethernet, there is no internet connection. Using Putty, I'm able to ping google.com and update the package list thru LUCI.
I'm unable to enable onboard wifi. When i click enable, it will back to disable withing few seconds. I've tried to update and sync the time through LUCI but, of no use.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd93:bd8a:6876::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '1.1.1.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel 'auto'
option band '2g'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
You have a few minor issues. Before getting into the fixes, it is worth noting:
as @brada4 pointed out, you need a bridge if you want to use wifi + ethernet on your lan. We'll get to that.
as @fakemanhk said, the Pi's wifi is truly miserable. It's fine as an AP for 1 or 2 devices at close range and where bandwidth is not really important, but don't expect this to be performant in any sense of the word.
You appear to have eth1 (usb-ethernet adapter) for the lan and eth0 (built-in) for the wan. There is nothing wrong with this arrangement, but often eth0 is used for the lan. We'll continue with what you have currently, though.
Edit br-lan so that it looks like this (specifically changing the port from eth0 to eth1):
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
Edit your lan interface. Multiple changes here -- change the subnet since the upstream network appears to be 192.168.1.0/24, change the device to br-lan, and remove the gateway and dns. It will look like this:
I've followed your suggestion, however, unfortunately i lost access to Luci. Following that, i have reflashed the sd card. and surprisingly the onboard Wifi worked and can be accessed from another PC
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
root@OpenWrt:~#
So, my new problems are
The VPN does not work - the wg0 showed zero TX and RX
Another question - i'm using 64 GB sd card, however in Overview section in Luci, the storage only showed, 98 MiB, with almost 52% full. Why is that?
I also have problem to update the software/packages, as it frequently failed with error 6.
I also installed Adguard Home. The installtion was successful, but the ads were not blocking any ads. I tried to add blocklist, however a long list of error occured as below. What should i do?
49.112.112.10:53: connect: network is unreachable dialing [2620:fe::fe:10]:53 over udp: dial udp [2620:fe::fe:10]:53: connect: network is unreachable dialing [2620:fe::fe:10]:53 over udp: dial udp [2620:fe::fe:10]:53: connect: network is unreachable dialing ....
As I had mentioned previously, you need to use a different subnet on the lan of your OpenWrt router (Pi). This is a requirement because you cannot have the same/overlapping subnet on the interfaces of a router.
Change the IP to something else -- for example 192.168.5.1.
If you're going to set peerdns to 0, you must provide upstream DNS servers for the system to work properly.
Changing the ip to 192.168.5.1 did make me lost access to to LUCI and ssh to the openwrt. this is due to my pc is still using 192.168.1.X ip address. This is solved my setting manually my pc ip address to use 192.168.5.X.
After gaining access back to openwrt, i changed the lan interface >setting > dhcp server > advanced setting > DHCP options to
3,192.168.5.1
6,192.168.5.1
6,1.1.1.1,8.8.8.8
I have now successfully setup the pi to connect to wan via eth1 and there are internet connection via both eth0 and wlan0.
Now, my problem is the wg0 interface for VPN is still showing zero TX and RX
Below are my configs
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda9:344a:d1ba::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'wlan0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'XXXXX'
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_wg0
option description 'tr-ist.conf'
option public_key 'XXXXX'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'tr-ist.prod.surfshark.com'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '36'
option band '5g'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option noresolv '1'
list server '1.1.1.1'
list server '8.8.8.8'
list server '192.168.1.1'
option port '54'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dns 'fda9:344a:d1ba:1::1'
list dns 'fda9:344a:d1ba::1'
list dhcp_option '3,192.168.5.1'
list dhcp_option '6,192.168.5.1'
list dhcp_option '6,1.1.1.1,8.8.8.8'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall^C
These should not be necessary normally, bu it looks like you're using AGH. I cannot say the root cause, but when using AGH, you do need to set option 6. Option 3 should not be necessary, though.
The fact that this is not showing any output suggests that there may be a key issue.
Have you attempted to use this configuration on a phone or computer directly (you can only run one at a time, of course) to verify that the general config and keys are correct?
I have tested the same config file using wireguard app on android. The configuration worked and the ip is in correct region that i wanted which is Turkey
We're still seeing a complete lack of output, something is clearly not right. This could be as simple as a typo or similar in the keys.
I would recommend removing the interface and recreating it, double checking that the keys that are known to work are in the correct places and that they are complete and correct.
This is expected behavior because the routing table is being directed to the tunnel, but the tunnel isn't working. Once the tunnel itself is working, it'll be fine.
Following this, i successfully configured the wireguard setting using different VPN provider. All other config were as before, except the config file from new VPN.
Thank you especially @psherman who helped tremendously.
Just one last question, i tried to swap the both wan and wan6 to br-lan and lan to use eth 1, i lost access to the raspberry pi. How do i correctly swap the wan and lan setting? This is as i planned to use the RPI openwrt as travel router too
br-lan will by default have eth0, and wan/wan6 will use eth1. If you want to change them, make sure that eth1 goes into br-lan and that eth0 goes in both wan interfaces.
I would suggest leaving it as is, though -- there's no real benefit/drawbak to using the internal port for lan and the external one for wan.