Setting up Wireguard tunnels as individual gateways

Hello there!

I just made a post about this a few days ago and realized I may have overcomplicated things a little by posting about too many things at once, so let me start over one step at a time.

As per this thread, I have setup a road warrior configuration for several devices in my router, which has been working rather nicely for quite a while so far. However, I just changed VPN providers from an OpenVPN-only based one to a Wireguard based one, and I was wondering what would be the correct approach to enabling a permanent connection to the VPN without having to use it as the primary gateway.

What I had previously done was to add pull-filter ignore "redirect-gateway" to the configuration of the OpenVPN tunnel, but I'm not sure if there's an equivalent function in Wireguard given the concept of client and server isn't really a thing over there, being replaced with the whole peer stuff.

What I've done so far is follow this tutorial up to the Firewall Zone creation and assignment, but I'm currently unable to see a successful connection using that particular interface's handle.

Are there any tools or guides I should be using in its place?

Use VPN Policy Based Routing to specify what you do and don't want to go through the tunnel.

Might I suggest PBR instead. VPN Policy Based Routing package has been obsoleted by pbr.

Sure! That's the plan eventually.

The thing is right now if I try to ping any address through that interface, I get an empty response:

[root@dca632 ../mullvad/wireguard 53°]# ping -I wg_usa -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No error information

There's also no activity being detected at all on the interface itself, so given that Mullvad's tutorial expects me to direct all my traffic through them, I was wondering if there's any tool or guide aside from ping I could use to troubleshoot not getting any traffic.

After enabling the interface the whole network loses internet access even, and the only way I've gotten it to work again has been to issue a service network restart command, but even after it I'm still unable to ping through it.

Sure, though that's in the backlog for the moment, given my image still doesn't include the package (I believe it still uses fw3 instead of fw4, so that may be why) at the moment, though I'll certainly keep an eye on it for the future. Thanks!

So the thing to do would be to get the WG tunnel working and all traffic flowing through it... then you can do the PBR thing.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Also please provide the output from

wg show

Fair enough, let me get started then:

/etc/config/network

[root@dca632 ../mullvad/wireguard 56°]# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:52a5:a38a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'
        option hostname 'router'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        list addresses 'fd2d:a278:3852::1/64'

config wireguard_wg0
        option public_key 'REDACTED'
        option description 'ToastyPen10+'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.5.2/32'
        list allowed_ips 'fd2d:a278:3852::2/64'
        option preshared_key 'REDACTED'

config wireguard_wg0
        option description 'ToastyUFO'
        option preshared_key 'REDACTED'
        list allowed_ips '10.0.5.3/32'
        list allowed_ips 'fd2d:a278:3852::3/64'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'

config wireguard_wg0
        option description 'Moto One Action de Liz'
        option preshared_key 'REDACTED'
        list allowed_ips '10.0.5.4/32'
        list allowed_ips 'fd2d:a278:3852::4/64'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'

config wireguard_wg0
        option description 'Liz-PC'
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '10.0.5.5/32'
        list allowed_ips 'fd2d:a278:3852::5/64'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config wireguard_wg0
        option description 'Moto One Action de Celia'
        option preshared_key 'REDACTED'
        list allowed_ips '10.0.5.6/32'
        list allowed_ips 'fd2d:a278:3852::6/64'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'REDACTED'

config interface 'Zerotier'
        option proto 'none'
        option device 'ztrta4adry'

config interface 'wg_usa'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses 'REDACTED'
        list addresses 'REDACTED'
        option peerdns '0'
        list dns '10.64.0.1'

config wireguard_wg_usa
        option description 'us240-wireguard'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option route_allowed_ips '1'
        option endpoint_host '96.44.189.98'
        option endpoint_port '51820'
        option persistent_keepalive '25'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option noresolv '1'
        option port '53'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option logdhcp '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dnsforwardmax '2300'
        option min_cache_ttl '270'
        option cachesize '5000'
        list address '/router/192.168.1.1'
        option sequential_ip '1'
        option dnssec '1'
        option allservers '1'
        option confdir '/tmp/dnsmasq.d'
        option enable_tftp '1'
        option tftp_root '/usbstick/tftp'
        list doh_backup_server '127.0.0.1#1053'
        list doh_backup_server '::1#1053'
        list ipset '/zoom.us/streaming,streaming6'
        list ipset '/googlevideo.com/*.googlevideo.com/streaming,streaming6'
        list ipset '/vevo.com/streaming,streaming6'
        list ipset '/nflxvideo.net/streaming,streaming6'
        list ipset '/netflix.com/streaming,streaming6'
        list ipset '/nflxso.net/streaming,streaming6'
        list ipset '/nflximg.com/streaming,streaming6'
        list ipset '/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming,streaming6'
        list ipset '/fbcdn.net/streaming,streaming6'
        list ipset '/ttvnw.net/streaming,streaming6'
        list ipset '/audio-fa.scdn.cot/streaming,streaming6'
        list ipset '/deezer.com/streaming,streaming6'
        list ipset '/sndcdn.com/streaming,streaming6'
        list ipset '/last.fm/streaming,streaming6'
        list ipset '/v.redd.it/streaming,streaming6'
        list ipset '/iview.abc.net.au/streaming,streaming6'
        list ipset '/play.stan.com.au/streaming,streaming6'
        list ipset '/disneyplus.com/streaming,streaming6'
        list ipset '/cloudfront.net/streaming,streaming6'
        list ipset '/aiv-cdn.net/r.cloudfront.net/aiv-delivery.net/streaming,streaming6'
        list ipset '/vs-dash-uk-live.akamaized.net/streaming,streaming6'
        list ipset '/cdn.bllon.isp.sky.com/live.bidi.net.uk/streaming,streaming6'
        list ipset '/ssl-bbcdotcom.2cnt.net/streaming,streaming6'
        list ipset '/millicast.com/streaming,streaming6'
        list ipset '/xirsys.com/streaming,streaming6'
        list ipset '/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn,usrcdn6'
        list ipset '/akamai.net/usrcdn,usrcdn6'
        list ipset '/download.qq.com/bulk,bulk6'
        list ipset '/steamcontent.com/bulk,bulk6'
        list ipset '/gs2.ww.prod.dl.playstation.net/bulk,bulk6'
        list ipset '/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk,bulk6'
        list ipset '/drive.google.com/drive-thirdparty.googleusercontent.com/bulk,bulk6'
        list ipset '/1drv.ms/bulk,bulk6'
        list ipset '/1drv.com/bulk,bulk6'
        list ipset '/docs.google.com/docs.googleusercontent.com/bulk,bulk6'
        list ipset '/gvt1.com/bulk,bulk6'
        list ipset '/mmg-fna.whatsapp.net/bulk,bulk6'
        list ipset '/upload.youtube.com/upload.video.google.com/bulk,bulk6'
        list ipset '/windowsupdate.com/update.microsoft.com/bulk,bulk6'
        list ipset '/ms-acdc.office.com/bulk,bulk6'
        list ipset '/graph.microsoft.com/bulk,bulk6'
        list ipset '/web.whatsapp.com/bulk,bulk6'
        list ipset '/*.fastly.net/bulk,bulk6'
        list ipset '/downloads.openwrt.org/bulk,bulk6'
        list ipset '/*.cdn.openwrt.org/bulk,bulk6'
        list ipset '/gvt1.com/gvt2.com/android.clients.google.com/clients1.google.com/clients2.google.com/clients3.google.com/clients4.google.com/clients5.google.com/clients6.google.com/play.googleapis.com/bulk,bulk6'
        list ipset '/assetcdn.101.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/assetcdn.102.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/assetcdn.103.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/live.patcher.bladeandsoul.com/gamecache4,gamecache6'
        list ipset '/dist.blizzard.com/gamecache4,gamecache6'
        list ipset '/dist.blizzard.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/llnw.blizzard.com/gamecache4,gamecache6'
        list ipset '/edgecast.blizzard.com/gamecache4,gamecache6'
        list ipset '/blizzard.vo.llnwd.net/gamecache4,gamecache6'
        list ipset '/blzddist1-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist2-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist3-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist4-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/level3.blizzard.com/gamecache4,gamecache6'
        list ipset '/nydus.battle.net/gamecache4,gamecache6'
        list ipset '/edge.blizzard.top.comcast.net/gamecache4,gamecache6'
        list ipset '/cdn.blizzard.com/gamecache4,gamecache6'
        list ipset '/cdn-11.eft-store.com/gamecache4,gamecache6'
        list ipset '/cl-453343cd.gcdn.co/gamecache4,gamecache6'
        list ipset '/cdn.homecomingservers.com/gamecache4,gamecache6'
        list ipset '/nsa.tools/gamecache4,gamecache6'
        list ipset '/pls.patch.daybreakgames.com/gamecache4,gamecache6'
        list ipset '/cdn1.epicgames.com/gamecache4,gamecache6'
        list ipset '/cdn.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn1.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn2.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn3.unrealengine.com/gamecache4,gamecache6'
        list ipset '/download.epicgames.com/gamecache4,gamecache6'
        list ipset '/download2.epicgames.com/gamecache4,gamecache6'
        list ipset '/download3.epicgames.com/gamecache4,gamecache6'
        list ipset '/download4.epicgames.com/gamecache4,gamecache6'
        list ipset '/epicgames-download1.akamaized.net/gamecache4,gamecache6'
        list ipset '/cdn.zaonce.net/gamecache4,gamecache6'
        list ipset '/hirez.http.internapcdn.net/gamecache4,gamecache6'
        list ipset '/level3.nwhttppatch.crypticstudios.com/gamecache4,gamecache6'
        list ipset '/filedelivery.nexusmods.com/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.com/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.net/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.net.edgesuite.net/gamecache4,gamecache6'
        list ipset '/geisha-wup.cdn.nintendo.net/gamecache4,gamecache6'
        list ipset '/geisha-wup.cdn.nintendo.net.edgekey.net/gamecache4,gamecache6'
        list ipset '/idbe-wup.cdn.nintendo.net/gamecache4,gamecache6'
        list ipset '/idbe-wup.cdn.nintendo.net.edgekey.net/gamecache4,gamecache6'
        list ipset '/ecs-lp1.hac.shop.nintendo.net/gamecache4,gamecache6'
        list ipset '/receive-lp1.dg.srv.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.wup.eshop.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.hac.lp1.d4c.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.hac.lp1.eshop.nintendo.net/gamecache4,gamecache6'
        list ipset '/origin-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/lvlt.cdn.ea.com/gamecache4,gamecache6'
        list ipset '/rxp-lv.cncirc.net/gamecache4,gamecache6'
        list ipset '/cronub.fairplayinc.uk/gamecache4,gamecache6'
        list ipset '/amirror.tyrant.gg/gamecache4,gamecache6'
        list ipset '/mirror.usa.tyrant.gg/gamecache4,gamecache6'
        list ipset '/renx.b-cdn.net/gamecache4,gamecache6'
        list ipset '/l3cdn.riotgames.com/gamecache4,gamecache6'
        list ipset '/worldwide.l3cdn.riotgames.com/gamecache4,gamecache6'
        list ipset '/riotgamespatcher-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/riotgamespatcher-a.akamaihd.net.edgesuite.net/gamecache4,gamecache6'
        list ipset '/*.dyn.riotcdn.net/gamecache4,gamecache6'
        list ipset '/patches.rockstargames.com/gamecache4,gamecache6'
        list ipset '/gs2.ww.prod.dl.playstation.net/gamecache4,gamecache6'
        list ipset '/gs2.sonycoment.loris-e.llnwd.net/gamecache4,gamecache6'
        list ipset '/patch-dl.ffxiv.com/gamecache4,gamecache6'
        list ipset '/lancache.steamcontent.com/gamecache4,gamecache6'
        list ipset '/*.content.steampowered.com/gamecache4,gamecache6'
        list ipset '/content1.steampowered.com/gamecache4,gamecache6'
        list ipset '/content2.steampowered.com/gamecache4,gamecache6'
        list ipset '/content3.steampowered.com/gamecache4,gamecache6'
        list ipset '/content4.steampowered.com/gamecache4,gamecache6'
        list ipset '/content5.steampowered.com/gamecache4,gamecache6'
        list ipset '/content6.steampowered.com/gamecache4,gamecache6'
        list ipset '/content7.steampowered.com/gamecache4,gamecache6'
        list ipset '/content8.steampowered.com/gamecache4,gamecache6'
        list ipset '/cs.steampowered.com/gamecache4,gamecache6'
        list ipset '/steamcontent.com/gamecache4,gamecache6'
        list ipset '/client-download.steampowered.com/gamecache4,gamecache6'
        list ipset '/*.hsar.steampowered.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/*.akamai.steamstatic.com/gamecache4,gamecache6'
        list ipset '/content-origin.steampowered.com/gamecache4,gamecache6'
        list ipset '/clientconfig.akamai.steamtransparent.com/gamecache4,gamecache6'
        list ipset '/steampipe.akamaized.net/gamecache4,gamecache6'
        list ipset '/edgecast.steamstatic.com/gamecache4,gamecache6'
        list ipset '/steam.apac.qtlglb.com.mwcloudcdn.com/gamecache4,gamecache6'
        list ipset '/*.cm.steampowered.com/gamecache4,gamecache6'
        list ipset '/cdn1-sea1.valve.net/gamecache4,gamecache6'
        list ipset '/cdn2-sea1.valve.net/gamecache4,gamecache6'
        list ipset '/*.steam-content-dnld-1.apac-1-cdn.cqloud.com/gamecache4,gamecache6'
        list ipset '/*.steam-content-dnld-1.eu-c1-cdn.cqloud.com/gamecache4,gamecache6'
        list ipset '/steam.apac.qtlglb.com/gamecache4,gamecache6'
        list ipset '/edge.steam-dns.top.comcast.net/gamecache4,gamecache6'
        list ipset '/edge.steam-dns-2.top.comcast.net/gamecache4,gamecache6'
        list ipset '/steam.naeu.qtlglb.com/gamecache4,gamecache6'
        list ipset '/steampipe-kr.akamaized.net/gamecache4,gamecache6'
        list ipset '/steam.ix.asn.au/gamecache4,gamecache6'
        list ipset '/steam.eca.qtlglb.com/gamecache4,gamecache6'
        list ipset '/steam.cdn.on.net/gamecache4,gamecache6'
        list ipset '/update5.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update2.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update6.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update3.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update1.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update4.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update5.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update2.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update4.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update3.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update6.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update1.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/st.dl.bscstorage.net/gamecache4,gamecache6'
        list ipset '/cdn.mileweb.cs.steampowered.com.8686c.com/gamecache4,gamecache6'
        list ipset '/live.patcher.elderscrollsonline.com/gamecache4,gamecache6'
        list ipset '/d3rmjivj4k4f0t.cloudfront.net/gamecache4,gamecache6'
        list ipset '/addons.forgesvc.net/gamecache4,gamecache6'
        list ipset '/media.forgecdn.net/gamecache4,gamecache6'
        list ipset '/files.forgecdn.net/gamecache4,gamecache6'
        list ipset '/*.cdn.ubi.com/gamecache4,gamecache6'
        list ipset '/content.warframe.com/gamecache4,gamecache6'
        list ipset '/dl1.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl2.wargaming.net/gamecache4,gamecache6'
        list ipset '/wg.gcdn.co/gamecache4,gamecache6'
        list ipset '/wgusst-na.wargaming.net/gamecache4,gamecache6'
        list ipset '/wgusst-eu.wargaming.net/gamecache4,gamecache6'
        list ipset '/update-v4r4h10x.worldofwarships.com/gamecache4,gamecache6'
        list ipset '/wgus-wotasia.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/*.windowsupdate.com/gamecache4,gamecache6'
        list ipset '/windowsupdate.com/gamecache4,gamecache6'
        list ipset '/*.dl.delivery.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/dl.delivery.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.update.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.do.dsp.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.microsoft.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/amupdatedl.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl2.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl3.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl4.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl5.microsoft.com/gamecache4,gamecache6'
        list ipset '/assets1.xboxlive.com/gamecache4,gamecache6'
        list ipset '/assets2.xboxlive.com/gamecache4,gamecache6'
        list ipset '/dlassets.xboxlive.com/gamecache4,gamecache6'
        list ipset '/xboxone.loris.llnwd.net/gamecache4,gamecache6'
        list ipset '/xboxone.vo.llnwd.net/gamecache4,gamecache6'
        list ipset '/xbox-mbr.xboxlive.com/gamecache4,gamecache6'
        list ipset '/assets1.xboxlive.com.nsatc.net/gamecache4,gamecache6'
        list ipset '/xvcf1.xboxlive.com/gamecache4,gamecache6'
        list server '127.0.0.1#1054'
        list server '::1#1054'

config boot 'linux'
        option filename 'pxelinux.0'
        option serveraddress '192.168.1.1'
        option servername 'router'
        list dhcp_option '209,pxelinux.cfg/default'
        option force '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan_6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpnzone'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'VPN_USA'
        list network 'wg_usa'

config forwarding
        option src 'lan'
        option dest 'vpnzone'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_port '80'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '172.18.0.2'

config redirect 'adblock_wan853'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'
        option name 'AGH DNS over TLS'
        option dest 'lan'
        option dest_ip '192.168.1.1'

config redirect
        option target 'DNAT'
        option name 'AGH DNS over QUIC'
        option src 'wan'
        option src_dport '784'
        option dest 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '784'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config nat
        option name 'PiHole-DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'lan'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option target 'SNAT'
        option snat_ip '192.168.1.1'
        option snat_port '82'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

config rule
        option name 'NGINXPM-DB'
        option src 'lan'
        list src_ip '172.18.0.2'
        option src_port '3306'
        option dest 'lan'
        list dest_ip '172.18.0.3'
        option dest_port '3306'
        option target 'ACCEPT'

config rule
        option name 'Adguard-Admin'
        option src 'wan'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        list dest_ip '172.18.0.6'
        list dest_ip '2001:3984:3989::6'

config rule 'wg'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        list proto 'tcp'
        list proto 'udp'
        option src 'wan'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

config rule
        option name 'Allow-ZeroTier-Inbound'
        list proto 'udp'
        option src 'wan'
        option dest_port '9993'
        option target 'ACCEPT'

config zone
        option name 'mesh'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'Zerotier'

config forwarding
        option src 'mesh'
        option dest 'lan'

config forwarding
        option src 'mesh'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'mesh'

config forwarding
        option src 'wan'
        option dest 'mesh'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_vpnzone53'
        option name 'Adblock DNS (vpnzone, 53)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_vpnzone853'
        option name 'Adblock DNS (vpnzone, 853)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_vpnzone5353'
        option name 'Adblock DNS (vpnzone, 5353)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

wg show

interface: wg0
  public key: REDACTED
  private key: (hidden)
  listening port: 51820

peer: REDACTED
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32
  persistent keepalive: every 25 seconds

peer: REDACTED
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32
  persistent keepalive: every 25 seconds

peer: REDACTED
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: REDACTED
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds

peer: REDACTED
  preshared key: (hidden)
  allowed ips: 10.0.5.6/32, fd2d:a278:3852::/64
  persistent keepalive: every 25 seconds

interface: wg_usa
  public key: REDACTED
  private key: (hidden)
  listening port: 59327

Wow... you've got a lot of stuff happening there...

You have what appears to be a server-type configuration for WG, a zerotier VPN, and your mullvad WG 'client' configuration. Then you have DoH and a whole bunch of ipset rules and port forwarding that goes to some network that is not defined in the config (172.18.0.0/24 -- maybe this is the docker container??).

There's really so much going on that it is going to be hard to figure out what is causing your problem. I don't think I'm going to be able to help on this one.

I'd recommend simplifying and then building back up. Make a backup, then reset everything to defaults... get the Mullvad VPN running and then put the other things back one by one until the VPN breaks. Or, do this with a second OpenWrt box.
... unless of course someone can help with the config files as they are.

Hey there, took me a while to figure it out, but it seems I've got a grasp of things now.

Turns out the settings I was missing to get a link going were the following:

First, I had to setup as a custom DNS server the DNS provided for the DHCP configuration inside the Wireguard's interface advanced settings.

Then, I had to check the mark for "Force Link" as well, and at last with most crucial step, I had to reboot the interface (it seems without this step the peer would not have been generated).

After i did so, all my v4 traffic started going through Mullvad and it seems the tunnel has v6 connectivity, but even after following this guide, only the router seems to have v6 connectivity.

Now the question would be on how to use the link only as a gateway and how to make sure the connection stays dual-stack for both the WAN and the tunnel.

Given I'm at least now able to navigate through the VPN, does this change my situation somewhat?

Finally found the final step!

Just had to uncheck the "Force Link" flag, restart the interface and then assign priorities (Gateway metrics starting from 1) to both the WAN interface and Wireguard tunnels, with WAN being Metric 1 and each subsequent tunnel being Metric 2, 3 and so on.

As such, I am now able to preserve my default connection on WAN and just tunnel stuff to the Wireguard peers when necessary.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.