[Solved] Configure VPN server on OpenWRT device behind WAN router

My OpenWRT device is behind another router (frizbox) which is connected to the internet.

Is it possible to route traffic from the internet to the OpenWRT and set up Wireguard VPN server on the OpenWRT device?

How can it be done?
I was having a look at the docs and a tutorial, but after following the instructions mentioned in the tutorial I was not able to make a connection to my OpenWRT VPN server with my Android client.

I figured that I missed setting up DynDNS on OpenWRT (or on the WAN router?)?
Also, how can I setup the forwarding from WAN to OpenWRT router on the WAN router?

  • You would setup the device as normal (OpenWrt will route upstream with no further configuration by default - as long as there's no IP conflict with the default subnet of 192.168.1.0/24 on the Fritz LAN) - usually just plugging up its WAN port
  • Port forward the UDP listening port you configured Wireguard - from you upstream router to the WAN port of the OpenWrt

:spiral_notepad: To be clear, you'd setup this port forward on the upstream FritzBox - you should inquire with there support if you need assistance in creating a port forward.

  • Lastly - create a rule on the OpenWrt to Allow the UDP port Input on WAN (i.e. "this device")

Well, you'll need to ensure the hostname properly resolves - but you can test using your Public IP. You do have a Public IP assigned to the Fritz, correct?

2 Likes

Fritz!OS supports Wireguard by default (in the newer releases), is there a specific reason for an additional device?
Or, alternatively, is it an option to install OpenWrt on your Fritz!Box or replace it entirely?

2 Likes

Ok

I set up the port forwarding in the WAN fritzbox. The IP range of the LAN box is 192.168.201.0/24:

I set up the rule:

I still need to make sure of this. I have a public ipv4 address, but it is not static.

I wanted to retain the fritzbox with the original firmware as I have received it from my internet provider. So they can't blame me for messing with the firmware in case of technical issues with the line. And also to have it as a an added layer between WAN and LAN. Also, I like to keep some devices in the LAN of my WAN Fritzbox, so they can't interact with the other devices like my computers and my NAS.

But, for testing I just tried configuring Wireguard connection in my WAN fritzbox which would be useful for me. The configuration works and I can connect. But I can't access the internet through the connection for some unknown reason.

I'm pretty sure you need to remove the checkbox "Selbstständige Portfreigabe". A quick web search came up with it being associated with UPnP, this is not what you want. And I assume that you picked "UDP" as protocol?

When trying again, make sure to disable the built-in Wireguard server first.

If you use DSL (what I assume) you can use a FRITZ!Box 7520 or 7530 directly with OpenWrt as your main router (DECT and phone features do not work). You can isolate clients by putting them into a different VLAN, so you could assign ports 1-2 to your private LAN and ports 3-4 to your IoT network.

1 Like

I have tested that the dyndns entry I have configured in the Fritzbox resolves successfully.

Ok, I have disabled "Selbstständige Portfreigabe" and changed protocol to UDP.

Correct, I have DSL. I need the phone. So, I suppose the Fritzbox official firmware has to stay.

...and it does work now or still doesn't?

Yes, unfortunately the telephony features are not supported.

1 Like

No, unfortunately it still does not work. The config for the OpenWRT peer:

image

Where 192.168.201.0/24 is the LAN and 192.168.202.0/24 is the VLAN for VPN. I import the config in the Wireguard Android app.

The Wireguard app on android throws the following excception: "Error bringing up tunnel: At least one address must be specified."

Remove the listen port on the peer. The peer also needs an interface address which is currently missing.

Let’s see your openwrt config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

Just in case this could be an issue: I also configured static routes in fritzbox as it was described here:

root@openwrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'abc'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.201.1'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.100.35'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'abc'
	option listen_port '51820'
	list addresses '192.168.202.0/24'

config wireguard_wg0
	option description 'aaaa'
	option public_key 'abc'
	option private_key 'def'
	option preshared_key 'ghi'
	list allowed_ips '192.168.202.10/32'
	option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

config rule
	option name 'wan-local-wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

This is an invalid address.
Change it to 192.168.202.1/24

Make sure your remote peer uses this addrsss for the interface address (this is what I mentioned was missing)

Also, you need to enable route-allowed_ips in the openwrt peer config stanza.

Add this to the firewall :

config forwarding
	option src 'Wireguard'
	option dest 'wan'

You also need to add 192.168.202.0/24 via 192.168.100.35

1 Like

Ok, I think I set up everything accoringly. Except for the following.

How can I do that?

Edit the peer’s interface config to add addresses 192.168.202.10/32

1 Like

Ok, The peer can connect to the VPN. I can reach devices within the LAN. Internet access is not possible yet.

1 Like

Add a dns server to the peer’s interface config (maybe 192.168.100.1) and then change the alloedcips on the peer’s peer config section to 0.0.0.0/0. To be clear, both of these changes will happen on the configuration for the peer that is not the openwrt device.

1 Like

Ok, all is working now. Thank you! @psherman @andyboeh, @lleachii

1 Like

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

2 Likes

This topic was automatically closed after 3 days. New replies are no longer allowed.