Setup Wireguard VPN for my home network

Installing and Using OpenWrt Network and Wireless Configuration
1

First time user of OpenWRT here...please be gentle.

What I am trying to do is to have my Pi4 8gb act as my home VPN Server.

I followed the instructions found here https://www.instructables.com/Highspeed-VPN-Router-With-Raspberry-Pi/

and set up Wireguard VPN as per the above instructions and uploaded a config file provided by my VPN provider.

Next, I inserted the Pi4 between my Broadband modem and my Netgear R8000. I plugged the LAN cable from the Broadband modem to the Ethernet Adaptor on the Pi4 and plugged a LAN cable from the fixed port on the Pi to the WAN port on the R8000.

What is happening now is my Pi4 is acting as a router but there is no traffic running through the VPN interface.

When I run IpLeak or WhatsmyIP the results show and IP address of my ISP.

I have working internet and can access all devices on my home network both wired and wirelessly.

Can anyone spare the time to help me sort this out? I've tried contacting the creator of the instructions but they have not responded to my query or any other query actually.

Cheers
Craig

2

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
3

Thanks psherman

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:e181:8843::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.x.x'
        option broadcast '192.168.x.x'

config device
        option name 'eth0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '4.2.2.2'
        list dns '9.9.9.9'

config interface 'PureVPN_Melb'
        option proto 'wireguard'
        option private_key '6Ghg2svwyEq/3IWIntptEmnAjCl/6OnVb3uLQbJikk4='
        list addresses '172.17.xx.xx'
        list dns '1.1.1.1'
        list dns '4.2.2.2'
        list dns '8.8.8.8'
        list dns '9.9.9.9'

config wireguard_PureVPN_Melb
        option description 'Australia-wg.conf'
        option public_key 'X0bV6rIiCLrncsjY5yaM80nAxU31z0V5VdZ2pCa3eAo='
        option private_key '6Ghg2svwyEq/3IWIntptEmnAjCl/6OnVb3uLQbJikk4='
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '30'
4 
 /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'
        list network 'PureVPN_Melb'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
5

You do not appear to have an endpoint host and port for the remote peer (the vpn service), so there is no connection possible.

You have redacted details that are not necessary to obfuscate (such as the ip addresses of your lan), but you have left your keys in the post, which are sensitive data. You should request or generate a new set of keys because these can no longer be considered secure.

I also recommend making a separate firewall zone for your wireguard connection so that you can use it as a kill switch (if desired) should the vpn stop working.

6

Oh..ok I will give this a crack.

Can you explain how I find the endpoint host and port for the remote peer (the vpn service)?

You should request or generate a new set of keys because these can no longer be considered secure. Does this mean I download a new config from my VPN provider and update the existing keys?. Or simply upload over the existing config?

I also recommend making a separate firewall zone for your wireguard connection so that you can use it as a kill switch (if desired) should the vpn stop working. - How is this done?

7

This should be provided by your vpn provider in thier config file or in the documentation.

This depends on your provider’s process. The keys must be exchanged properly or the connection will not start.

This is how you create a firewall zone for the vpn. Be sure to remove the vpn network from the wan zone.

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'PureVPN_Melb'

config forwarding
        option src 'lan'
        option dest 'vpn'
8

Now I am in trouble...
I tried updating the wire guard details and now I do not have internet! I do have access to OpenWrt
How can I get internet back?

I'm using my mobile to reply.

9

Stop the wireguard interface. You may also need to restart the wan interface.

1 Like
10

Thanks psherman....I have internet again!

11

Ok...here's the rub.

I couldn't get internet activity with VPN enabled so I stopped it as previously advised, restarted WAN.

As I am having issues with the VPN, would it be prudent to delete this interface and start with a fresh config?

12

Likely, yes.

13

Ok...added new WireguardVPN but it is not working.

Internet works as normal.

14

Post your latest config.

15 

r/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:e181:8843::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        option broadcast '192.168.2.255'

config device
        option name 'eth0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '4.2.2.2'
        list dns '9.9.9.9'
        list dns '27.50.74.3'
        list dns '27.50.74.5'

config interface 'PureVPN_Melb'
        option proto 'wireguard'
        option private_key 
        list addresses '172.18.18.187'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '27.50.74.3'
        list dns '27.50.74.5'
        list dns '9.9.9.9'

config wireguard_PureVPN_Melb
        option description 'Australia-wg (2).conf'
        option public_key '
        option private_key '
        option endpoint_host 'sx150724-wg.pointtoserver.com'
        option endpoint_port '51820'

config device
        option name 'PureVPN_Melb'
        option mtu '1500'
        option ipv6 '0'
16 
cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'
        list network 'PureVPN_Melb'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
17

you need to have allowed ips specified (often 0.0.0.0/0 if you want all internet traffic to use the tunnel) and route ips must also be enabled.

Remove the stanza below.

18

Changed as suggested

config wireguard_PureVPN_Melb
        option description 'Australia-wg (2).conf'
        option public_key '
        option private_key 
        option endpoint_host 'sx150724-wg.pointtoserver.com'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '30'

Is this correct?

config device
        option name 'PureVPN_Melb'
        option ipv6 '0'

Had to stop VPN interface to get internet back

19

This looks fine. What is the output of:

wireguard show
20

output is...
-ash: wireguard: not found