Setting up selective WireGuard in OpenWrt

Good afternoon, I ask for help. There is a config file for WireGuard. I add it to the WireGuard applications on the PC and just turn it on. No problem. But how to add it to the router? Moreover, how to make it proxy not absolutely everything, but only specific addresses? Specifically google.com and youtube.com

The config content is something like this

[Interface]
PrivateKey = ██████████████████████████████████████h3G3I=
# PublicKey = ██████████████████████████████████████OA2zg=
Address = 172.16.0.2
Address = 2606:4700:110:8322:1254:4535:9298:6886
DNS = 1.1.1.1

[Peer]
PublicKey = ██████████████████████████████████████Pfgyo=
Endpoint = engage.cloudflareclient.com:2408
# Endpoint = 162.159.192.9:0
# Endpoint = [2606:4700:d0::a29f:c009]:0
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

In the router, I create a new interface "WG0", the WireGuard VPN protocol. And then the saving button Import configuration appears below. I used it to import the config. But the config contains two IPs, as I understand it, v4 and v6. But only the second one was displayed in the browser. That's why I manually added the first one.

image

Further, as far as I understand from the Internet instructions, you need to go to the firewall settings and do magic. Then register DNS from WireGuard to WAN and WAN6. And after all this, the work will be finished. But this will enable WireGuard for all connections that go through the router. Right? How to add selective proxying for previously specified sites?

I seem to have found instructions on how to do it correctly. But they are all done through the console, which is confusing. And instead of manually entering specific addresses, they use some kind of scripts to import a list of blocked sites from somewhere else. I don’t need this, only two specific sites...

1 Like

The problem here is that Google and Youtube use many many different IP addresses, using their DNS servers to send clients to them in round-robin fashion. Filtering traffic ultimately requires knowing the IP number, not just a name. So the concept of ipsets exists to try to look up all the possible numbers in advance.

2 Likes

This is where pbr excells.

3 Likes

Interesting, and how is it that my provider tracked all YouTube addresses in order to block it for me?

Well if you REALLY want the IP Addresses you can try here.

2 Likes

AND...

What should I do about it? Let's say from this page I downloaded the necessary addresses for YouTube.

What's next? How to set up a whitelist for WireGuard? Thanks for the list, but it's not enough...

All you need to do to route the traffic is setup the ip ranges in the "Allowed IPs" part of your wireguard configuration.

If this is your Wiregurad conf you would want it to look something like this

[Interface]
PrivateKey = gI6EdUSYvn8ugXOt8QQD6Yc+JyiZxIhp3GInSWRfWGE=
ListenPort = 21841

[Peer]
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = 192.95.5.69:51820
AllowedIPs = 208.117.234.0/24,208.117.254.0/24(List of ranges you want to forward goes here )
1 Like

Is it really that simple? To check, I enter all found addresses into the config. It turns out something like this:

[Interface]
PrivateKey = ██████████████████████████████████████h3G3I=
# PublicKey = ██████████████████████████████████████OA2zg=
Address = 172.16.0.2
Address = 2606:4700:110:8322:1254:4535:9298:6886
DNS = 1.1.1.1

[Peer]
PublicKey = ██████████████████████████████████████Pfgyo=
Endpoint = engage.cloudflareclient.com:2408
# Endpoint = 162.159.192.9:0
# Endpoint = [2606:4700:d0::a29f:c009]:0
AllowedIPs = 64.15.112.0/24,64.15.115.0/24,64.15.118.0/23,64.15.123.0/24,64.15.126.0/24,70.32.133.0/24,103.111.147.0/24,104.237.164.0/24,104.237.167.0/24,104.237.168.0/22,104.237.172.0/24,104.237.190.0/24,136.22.130.0/23,136.22.132.0/23,156.38.33.0/24,156.38.34.0/23,156.38.37.0/24,156.38.39.0/24,176.29.0.0/24,176.29.203.0/24,176.29.205.0/24,176.29.209.0/24,176.29.210.0/24,176.29.215.0/24,176.29.216.0/21,176.29.224.0/21,176.29.253.0/24,176.29.255.0/24,176.126.58.0/24,185.192.249.0/24,185.225.248.0/24,197.230.59.0/24,197.230.70.0/24,208.117.234.0/24,208.117.236.0/24,208.117.238.0/24,208.117.240.0/24,208.117.250.0/24,208.117.252.0/24,208.117.254.0/24
AllowedIPs = 2001:fb0:109f:12::/64,2001:fb0:109f:14::/64,2001:fb0:109f:18::/63,2001:fb0:109f:8007::/64,2001:fb0:109f:8009::/64,2001:fb0:109f:8010::/64,2001:fb0:109f:8013::/64,2001:fb0:109f:8014::/64,2001:4430:f:104::/64,2001:4430:f:106::/63,2001:4430:f:108::/63,2001:4430:f:10a::/64,2001:4430:f:112::/64,2001:4430:f:114::/64,2001:4430:f:116::/63,2001:4430:f:118::/64,2400:9800:1b:1b::/64,2407:0:0:3d::/64,2620:11a:a000::/48,2620:11a:a011::/48,2620:11a:a01c::/48,2620:11a:a01f::/48,2620:11a:a024::/47,2620:11a:a029::/48,2620:11a:a02a::/48,2620:11a:a02d::/48,2620:11a:a02e::/48,2620:11a:a031::/48,2620:11a:a033::/48,2620:11a:a034::/48,2620:11a:a036::/47,2620:11a:a038::/46,2620:11a:a03c::/48,2620:11a:a0f1::/48,2a00:1588:d801::/48,2a00:1588:d802::/48,2a0f:f4c1:2::/48

Next, you need to install “wireguard-tools” and “luci-i18n-wireguard-ru” will not hurt. This is done as I remember in System → Software with a router connected to the Internet. Before searching, you need to click “Update lists…” otherwise the search will not work.

It would seem that I installed only 2 packages, but the Installed tab shows 5. All the necessary packages are installed together (wireguard-tools, kmod-wireguard, luci-app-wireguard, luci-i18n-wireguard-ru, luci-proto-wireguard)

I reboot the router and make a backup just in case. Now in the Status tab, at the very bottom, the WireGuard item has appeared, which says No WireGuard interfaces configured.

By analogy with OpenVPN, I do everything in a similar way.

Network → Interfaces → Add new interface…
I write the name WARP
Protocol WireGuard VPN
Create interface

Next, Import configuration comes to the rescue with the “Load configuration…” button.

I drag the file there and see that all (?) settings have been successfully applied?

Checking...

The private key was inserted from the line "[Interface] PrivateKey = "
Public key from "[Interface]# PublicKey = "
The port for incoming connections is empty, but it does not seem to be in the config either
IP addresses inserted from “[Interface] Address = 2606:4700:110:8322:1254:4535:9298:6886”, that is, only v6? I don’t know if this is necessary, but manually and v4 I will add “Address = 172.16.0.2”

image

On the advanced settings tab
Use own DNS servers inserted from “[Interface] DNS = 1.1.1.1”
And everything seems to be here

In the Peers tab
A new setting has been added, click "Change" to see what's inside:
Description of warp.conf, this is the name of the file that I uploaded
The public key was inserted from “[Peer] PublicKey =”
Allowed IP addresses, everything that I wrote in "[Peer] AllowedIPs = " was inserted here. But again, only v6
End node inserted from “[Peer] Endpoint = engage.cloudflareclient.com:2408” but only up to colon
End node port inserted from “[Peer] Endpoint = engage.cloudflareclient.com:2408” but only after the colon

image

And I didn't notice any changes.

A question has come up. Is the program accidentally or intentionally ignoring IP v4 addresses? Should I add them manually or not? And if so, should I paste them into the same file or create a new one?

Perhaps I will add them to the same file.

Apply all settings.

The instructions that I found also say to stop the WAN6 interface. This button is disabled for me. Perhaps the instruction is only for the config with IPv4, but I also have v6, which is why it doesn’t work. Xs…

Now Network → Firewall → Add
Name well, for example WG0
input reject
output accept
forward rejection
Masquerading tick
MSS clamping tick
Covered networks is the same WARP interface that I created in the last step
Allow forward from source zones : lan

After saving it looks like this

Apply settings again

Back to interfaces
Network → Interfaces → WAN → Edit
In the Advanced settings tab, I uncheck the Use DNS servers declared by the host and enter my own from the config. Geez why. It seems that the same thing is written in the WARP interface, maybe you shouldn't do it again?

image

WAN6 was disabled in the instructions, but it works for me. So maybe I'll post it there...

Apply settings again

Further in the instructions there is an item Add Kill Switch (Optional), but since it is not required, I will not do it. Yes, and it is not clear what this is and why...

Restarting the router...
̶A̶n̶d̶ ̶I̶ ̶s̶u̶c̶c̶e̶s̶s̶f̶u̶l̶l̶y̶ ̶l̶o̶s̶t̶ ̶t̶h̶e̶ ̶I̶n̶t̶e̶r̶n̶e̶t̶
After some time, the Internet appeared. It looks like the settings take a long time to apply.

Now in the Status tab → WireGuard Status
Which node is displayed. But how to check that everything works? I'm trying to access YouTube without any VPN and proxy...

Nothing comes out.
In one browser writes

image

Writes something else in another

Output. Or maybe I've set it up wrong, which is quite possible. Or I indicated the wrong, or not all, YouTube IP addresses.

Is there any way to find out why nothing works for me?

Forget about the whitelist for a moment. As I understand it, it's too complicated. How to set up WireGuard in general?

I did everything according to the instructions I found. Everything is set up like this.

Summary









Although I configured everything (almost everything) according to the instructions found on the Internet. I just didn't do Kill Switch because it's indicated that it's not necessary. But at the same time, it seems that WireGuard still does not work. What did I not do or did wrong?

The same WireGuard config works for me both on a smartphone and on a PC...

Do you have a successful handshake? What is the output of the following:

wg show

What does it mean?

Is this a console command?

login as: root
root@192.168.1.1's password:


BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@K14M:~# wg show
interface: WireGuard
  public key: 4277jlUOO8NdTMR+LrBQiC5uPEujwNB7tMS5kHOA2zg=
  private key: (hidden)
  listening port: 57818

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
  endpoint: 162.159.192.1:2408
  allowed ips: 0.0.0.0/0, ::/0
root@K14M:~#

You are not getting a handshake (handshake ~= connection). There is an error in your configuration. Likely a problem with the keys.

1 Like

Very strange, everything works on PC...

Did you disable the PC's WG connection before trying to establish the one on OpenWrt?

2 Likes

It's worth pointing out that the endpoint IP is not the same on your PC vs OpenWrt.... maybe that's related?

1 Like

Does not differ in the config file both are specified.

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
Endpoint = engage.cloudflareclient.com:2408
# endpoint = 162.159.193.5:0
# Endpoint = [2606:4700:d0::a29f:c009]:0
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

I checked just in case, but nothing has changed...

let's see the contents of /etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:812e:8c92::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'c0:25:e9:d3:49:b1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '1.1.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'WARP'
	option proto 'wireguard'
	option private_key '████████████████████████████████████████████'
	list addresses '172.16.0.2/32'
	list addresses 'fd01:5ca1:ab1e:86df:b40f:273d:2974:7bb/128'
	option peerdns '0'
	list dns '1.1.1.1'

config wireguard_WARP
	option description 'warp.conf'
	option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '162.159.193.5'
	option endpoint_port '2408'
	option persistent_keepalive '25'


Hi sorry to hijack or if I am off topic. I just use a second OW router with wireguard to do this for my TV.

That way I can avoid all the complex configuration and just get it up and running then later figure out all the other stuff. The gl-inet routers have a built in wireguard VPN app that makes it easier to switch countries.

Looking at your configs you might want to add your wireguard provider DNS to the WAN interface.

I disable ipv6 interface as my ISP doesn't use it. Wireguard works and has been solid for me with trusted providers such as mullvad and azire. Some providers like wevpn didn't work on OW with wireguard when I tested them last year.

Sidenote: As others have pointed out it's hard to whitelist youtube because they have 1000's of servers. So I just use a dedicated OW wireguard router instead. A C7 v2 will get you 75mbps on wireguard. But youtube only needs 5-10mbps.

HTH

Here's some screen shots of a correctly configured firewall for wireguard on ver 19.07. There is no fancy routing - this is a basic configuration to encrypt the entire outgoing connection. You can daisy chain routers together.:

Here's some screen shots of the wireguard interface on 19.07:

***Also you can't run the same wireguard key/server config on a computer and the router at the same time or the key may get blacklisted by the provider.

2 Likes

The second router still needs to be bought, and when stores and mail are not working, this is difficult to do.

Chromecast is controlled from a smartphone or PC only if they are on the same network. If I buy a second router, I will lose the ability to play movies on it that are locally located on my PC.