Solved: nordvpn OpenWrt wireguard client

Dear OpenWrt Community,
First - I have a few bars to indulge myself and those in the know of the Old School :
Once again, back is the incredible rhyme animal
The uncannable D, Public Enemy Number One / Full Lyrics here for those who may wish to sing along : https://genius.com/Public-enemy-bring-the-noise-lyrics and Video here : https://www.youtube.com/watch?v=bsq91cqFhWI and
Yes, the rhythm, the rebel
D the enemy, telling you to hear it
Hard—my calling card
Recorded and ordered—supporter of Chesimard
https://genius.com/Public-enemy-rebel-without-a-pause-lyrics
https://www.youtube.com/watch?v=UDOKiA-XFvk

Now after that intro - let's get down to business. There has been a lot of interest and buzz around WIREGUARD - the new VPN protocol which is now available across many platforms. I have written this tutorial with the goal of showing you how to set up NORDVPN WIREGUARD Client ( NORDVPN now supports BETA WIREGUARD Servers ). The reasons for my putting this guide together is that I was unable to find a definitive tutorial in one place which simply explained how to set up WIREGUARD on OpenWrt. This setup is guaranteed to work if you follow the steps as detailed in this tutorial. The references I used are listed below in order of most to least useful and informative:
1 - https://doc.turris.cz/doc/en/public/wireguard 2 - https://steemit.com/cn/@curl/openwrt-lede-wireguard-vpn 3 - https://blog.birkhoff.me/Setting-up-a-WireGuard-server-on-OpenWRT/ ( Note : IGNORE THE FIREWALL INSTRUCTIONS ON THIS PAGE - I WILL DETAIL CORRECT SETUP LATER IN THIS TUTORIAL ).

1 - First you need to get your NORDVPN WIREGUARD configuration files. Contact them via their e-mail support and they will send you your credentials. NORDVPN currently offers only only two WIREGUARD Servers - one in New York and one in the UK. The configuration file is similar to this below:

[Interface]
Address = 10.x.x.xxx/32
DNS = 1xx.1xx.xxx.x
PrivateKey = 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

[Peer]
PublicKey = cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
AllowedIPs = 0.0.0.0/0
Endpoint = 1xx.1xx.xxx.x:51820
PersistentKeepalive = 25

WARNING:
These credentials above are for demonstration purposes only - the keys are actually from DNS Privacy Test Servers and will not work if you attempt to set up NORDVPN WIREGUARD using these credentials. Now on to the actual setup which is in reality quite easy to do.

2 - There are two ways to set up NORDVPN WIREGUARD on OpenWrt - via uci and / or by the proper OpenWRT configuration files. Primarily, I relied on this aforementioned guide : https://doc.turris.cz/doc/en/public/wireguard and it illustrates using both methods.

A - Set up Via Uci - command line The only drawback to this method is there is no uci command to set the endpoint host and port - you will need to set these manually via Luci :
No matter if you choose to configure via Uci commands or OpenWRT configuration files you first need to install the necessary packages:

opkg update && opkg install kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools

A - Via uci commands


1) Set the server's network configuration:

# wg0 is the name of the wireguard interface, 
# replace it if you wish.

uci set network.wg0="interface"
uci set network.wg0.proto="wireguard"
uci set network.wg0.private_key="62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4="  ## ( From the dummy file I listed above )

# You may change this port to your liking, ports of popular 
# services get through more firewalls. Just remember it
# for when you have to configure the firewall later
.
## uci set network.wg0.listen_port="xxxxx"  ## ( Do not set this as NORDVPN WIREGUARD Servers use *random* Listen Port )
uci add_list network.wg0.addresses='10.x.x.xxx/32'   ## ( Use your real address from downloaded NORDVPN WIREGUARD Config File )

2) Configure client list:
# Change all occurences of "wireguard_wg0" to something else 
# (like wireguard_wg1, wireguard_wg2 and so on) for 
# subsequent clients after the 1st

uci add network wireguard_wg0  ## ( I suggest you leave this as is )
uci set network.@wireguard_wg0[-1].public_key="cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA="  ## ( From the dummy file I listed above )
 
# Allow the client to forward traffic to any IP through the tunnel

uci set network.@wireguard_wg0[-1].route_allowed_ips="1"
uci add_list network.@wireguard_wg0[-1].allowed_ips="0.0.0.0/0"
 
# Enable sending of keepalive packets so NAT routers 
# don't terminate the connection. WG recommends a value of 25.

uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
 
# What you want your client to show up as in the UI

uci set network.@wireguard_wg0[-1].description='WG'

3) Save the changes:

uci commit network
/etc/init.d/network reload
 
ifdown wg0
ifup wg0

Now - as I stated above this method does not add the endpoint host and port. To this - in Luci go to Network > Interfaces > Then EDIT Interface WG0 > Under Peers > in the Endpoint Host enter 1xx.1xx.xxx.x: ( the endpoint NORDVPN WIREGUARD Server address ) and beneath enter 51820 ( the the endpoint NORDVPN WIREGUARD Server Port ). Then click on Save & Apply. Also, I have found that using the DNS Server included in the downloaded Config file is very important. In the case of NORDVPN WIREGUARD DNS Server is different from their main DNS Servers ) - see how to configure the proper DNS Server on the NORDVPN WIREGUARD Interface below in section B : the Via configuration files section of this tutorial.

Thanks to the very useful and insightful assistance from my knowledgeable, kind and patient colleagues lleachii and trendy along with the heads up from vgaetera ( all from the OpenWRT Forum ) I was able to finally get the WIREGUARD FireWall rules properly configured. I have removed the UCI command line section ( A ) for setting up the WIREGUARD Firewall rules entirely. If anyone can send to me the proper uci commands to set up the firewall which directly correspond to the rules in section B - Via configuration files ( aka the /etc/config/firewall file ) listed below; I will post them in this tutorial at that time. However, please know that your NORDVPN WIREGUARD will be most secure and function as it designed if you follow the instructions in section B - Via configuration files - then Step 3) Configure the OpenWRT firewall: - that is all you need to do.

B - Via configuration files

Now, I saved the best for last. Quite frankly NORDVPN WIREGUARD is very very easily set up Via configuration files. Here is how to do this in two simple steps:

1) Set the server's network configuration by editing /etc/config/network to include following parts, omitting the preshared_key option if you've opted not to use a PSK:

From the dummy files above:  Go to the the very bottom of this file and add the following : 

Open the file: nano /etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option private_key '62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4='
        list addresses '1x.x.x.xxx/32'
        option dns '1xx.1xx.xxx.x'

config wireguard_wg0
        option public_key 'cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA='
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option description 'WG'
        option endpoint_host '1xx.xxx.xxx.x'
        option endpoint_port '51820'

Save and Exit 

Then issue from command line Step 2 below:

2) Apply changes

/etc/init.d/network reload
ifdown wg0
ifup wg0

3) Configure the OpenWRT firewall for your NORDVPN WIRGUARD Client:

Special Thanks to trendy ( from the OpenWRT Forum ) for helping me with this elegant solution

The most simple, effective and efficient method to set up your firewall
for NORDVPN WIREGUARD this is to add the 'wg0' network 
to the wan zone in the /etc/config/firewall configuration file

Edit /etc/config/firewall file and add the 'wg0' network as follows:

Open the file: nano /etc/config/firewall 


config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wg0'  ## This is the line you need to add - and you are done
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

Save and Exit 

Then issue from command line Step 4 below:

4) Apply changes

/etc/init.d/firewall restart

reboot & exit

All you need to do is reboot the router. The correct DNS Server along with the endpoint host and port are already added using this method.
By the way, NORDVPN is now offering WIREGUARD in Beta testing. Contact them via their e-mail support and they will send you your credentials. The most important piece of this set up are the firewall rules. Just configure your /etc/config/network file with your NORDVPN WIREGUARD Config Options and this will work just as well.

Testing your configuration
From your client, attempt a connection to your router. On the server side, run the following to inspect the current state of WireGuard: from the command line run entry : wg show
You should see the configured interface and peers in your console. If not, try restarting your router and thoroughly checking your client and server configuration to ensure the right keys are in the correct location. Note that peers that have not connected yet will not be shown in output. Outpoint will vary according to your keys.

interface: wg0
public key: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
private key: (hidden)
listening port: 1234

peer: 3K9BeVLsj3eXYPbTp53tQ4jypJKUukAjZqSCQykhDTb=
endpoint: 190.180.170.160:45345
allowed ips: 10.0.10.0/24
latest handshake: 1 hour, 19 minutes, 23 seconds ago
transfer: 43.96 MiB received, 51.89 MiB sent
persistent keepalive: every 25 seconds

If you installed luci-app-wireguard, you can also visit your router's LuCI interface and click on Status, then click on WireGuard Status to essentially the same information but without needing to SSH in. You can also run ifconfig to check the status of your WireGuard interface. If you've opted for another interface name aside from wg0, replace it in the subsequent command: ifconfig wg0

wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.10.1 P-t-P:10.0.10.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:55483 errors:30 dropped:0 overruns:0 frame:30
TX packets:68168 errors:4 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:46099332 (43.9 MiB) TX bytes:54420468 (51.8 MiB)

Peace and God's Grace To All

FYI : I set this up along with DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY see here : ( From The DNS Privacy Project ) DNS-OVER-TLS on OpenWrt/LEDE FEATURING UNBOUND GETDNS and STUBBY
and DNS LEAK TESTS returns the DNS Privacy Test Servers which I chose in my Stubby DNS Privacy Daemon Config file. However, I continued to use the NORDVPN WIREGUARD DNS Server for the WIREGUARD Interface ( WG0 ). Everything works well. If anyone can impart to me exactly how DNS functions within the WIREGUARD Tunnel ; I will be most appreciative.

1 Like

:+1:

Thanks for the tutorial. You Strolled thru nicely!

Since Layer 3 routing is no different in the Wireguard tunnel (including to DNS servers), I guess you mean to ensure it uses DNS over tunnel?

If so:

  • Choose 2-3 DNS servers and setup a /32 static route to them
  • Assign those DNS servers directly to client, statically, or via DHCP Option 6, etc.
  • Why does everyone need the forwarding from wan to wg zone?
  • Why do you think that ACCEPT a is proper input and forward policy for a public service?
3 Likes

Dear lleachii,
Hello and I hope that you are well. Yes - I am an Olde School Kappa - if that is what you are asking. Re: your advice ( which I am most grateful for ): If so:

Choose 2-3 DNS servers and setup a /32 static route to them
Assign those DNS servers directly to client, statically, or via DHCP Option 6, etc.
I wish to use the localhost ( 127.0.0.1 ) for the DNS on the WireGuard Tunnel as I run DNS Privacy ( aka DNS OVER TLS using DNS Privacy Daemon - Stubby ) - which runs on 127.0.0.1 port 5453 by default on OpenWrt . In other words I want to force WireGuard to use the DNS Servers I have chosen in my /etc/stubby/stubby.yml configuration file.
If you can show me or point me in the right direction to set this up - I would be greatly appreciative. Thanks in advice for your response and for your appreciation of my efforts and knowing that yes - before The Shimmy there was The Kappa Stroll

May God Always Smile Upon You and Yours -

In Peace and Grace,

directnupe

Dear vgaetera,
Hello - and I hope that you are doing well and not too upset with the instructions in this effort of mine. I am far from an expert at this - so, I for one am always willing and eager to learn as to how to do things in the best way possible. With that said - regarding this setup - if you can provide me with the rationale and reasoning behind your comments; I am all ears.
Moreover, I certainly do not want to be in the position of imparting bad information to those who may read this tutorial.
So, if you would be kind enough to elaborate on your comments and please offer an alternative set up for the firewall rules on WIREGUARD ; I would certainly be grateful for that
information. Thanks in advance for your feedback, and I certainly take nor intended any offense in putting this tutorial together.
I cited the references I used in composing this guide and as a hobbyist - frankly, in most instances ; I am simply gratified that I got the damn thing to work. obviously, this may not always be the best attitude to have - in short - my knowledge and expertise is somewhat limited - and I will be the first to admit that fact.
So, I await your reply regarding the firewall rules for WIREGUARD - as I am very interested in the best security always when using the world wide web ( aka Internet ).

Peace and God Bless,

directnupe

Hello directnupe,
first, as per guidelines, please refrain from signing your posts, we know who wrote each post.

Regarding @vgaetera's questions:
You have allowed forwarding in the firewall from wan to wireguard zone. What traffic do you expect to follow this flow and why allow everything and not drop everything and allow the specific flow?

Wireguard firewall zone is open to the internet. What is the logic of using the ACCEPT policy for the INPUT and FORWARD rules instead of the default REJECT or DROP?

2 Likes

Dear trendy,
Hello and I do appreciate you availing me of the rules - I do realize that " ignorance of the law is no excuse " ( at least not for us peons ). I will not sign my posts in the future. Speaking of rules - I am still cloudy as to set up the FireWall Rules for WIREGUARD Client. Would you be kind to look over my amended configuration below and tell me if it is correct or not. Any advice that you are are kinf enough to offer me will be very appreciated.

Here is a setup I managed to find ::


config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option name 'Wireguard'
        option proto 'udp'
        option src '*'
        option dest_port '51820'
        option dest '*'

I am a retired English Teacher so I am somewhat proficient at research - but as I said I was unable to find a definitive guide as to how to do this - i.e. set up WireGuard on OpenWRT.
So - if you would be kind enough to take the time to grade my work with corrections; I will be forever grateful. Thank you in advance for your comments and advice.

Peace and God Bless

Personally, I haven't used Stubby - I'd have to point you to:

https://forum.openwrt.org/search?q=stubby

  • The first and last rules accepting WG input are redundant

Personally I would assign the wg0 interface in the wan firewall zone. Simpler and achieves the desired result.

This rule is not correct, as it allows forwarding of destination port 51820 from any zone to any zone.

config rule
        option enabled '1'
        option target 'ACCEPT'
        option name 'Wireguard'
        option proto 'udp'
        option src '*'
        option dest_port '51820'
        option dest '*'

The first rule is enough, however you can select source zone wan rather than * which is any.

1 Like

Dear lleachii,
Hello and thanks for your feedback and continued assistance as I go through this process. I appreciate your comment about the redundancy of the first and last rule in my setup of the firewall configuration.
I have corrected that error and once again - I appreciate you taking the time to set me straight. As for Stubby configuration for DNS on WireGuard - I will continue to search. However, would you be kinf to enough to explain to me and send an example the scenario that you first described -
Choose 2-3 DNS servers and setup a /32 static route to them
Assign those DNS servers directly to client, statically, or via DHCP Option 6, etc.
Maybe that will work for me. In any event, thanks for all you have done for me thus far.

Peace and God Bless

Dear trendy,
Hello and I have amended my firewall setup for WireGuard as per your suggestions. I truly wish to thank you for your taking the time to point out the errors that I was making with my set up. Further, I have amended this tutorial to reflect the the changes which you were king enough to suggest to me. Just to be sure - here is my amended setup :

config rule
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

The WireGuard connection is much better and responsive - so as I said; thanks a ton. I want to thank you for taking the time to look over my efforts and taking the time to get back to me.
Also, for those who may wish to do so ( and my own personal learning ) - do you do you know how to translate these rules into the correct corresponding uci commands. If you can point me in the right direction to achieve this end ; I would certainly appreciate it.
Also - can you provide an example of the setup you referred to in your earlier reply. Specifically Personally I would assign the wg0 interface in the wan firewall zone. Simpler and achieves the desired result. if it is not too much trouble or an imposition.

Peace

If you select to create a new firewall zone for wireguard, make sure there is some valid reason ( I can't think of any) to allow forwarding between wg and wan.

Sure, in wan zone edit the line
option network 'wan wan6'
and add wg0 interface.

2 Likes

Dear trendy,
Man at the risk of using a somewhat hackneyed phrase which truly expresses my gratitude to you for helping me with this setup " I can never begin to thank you enough " - I did as you instructed and added the 'wg0' interface in the wan firewall zone. It is as you said much simpler and does achieve the desired result. I will edit this tutorial to reflect this method.

Peace and God Bless You

PS - I honestly appreciate your kindness and assistance.

I hope it works fine now for you and you are very welcome.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

Perhaps I'm a dummy, but I followed this instruction for part B precisely on a GL-AR750S and I'm not getting anything. It's still routing the traffic through my router to my ISP. But it's strange because on the main login page it shows I'm connected to a VPN.

What does ip route say?

1 Like

Dear Jeff,
Hello and I hope that you are well. I wrote this guide for a standard Router running OpenWRT. What you have is the GL.iNet Slate - known as a travel router. It more or less comes pre-installed with multiple VPN protocols support i.e. ( WireGuard and OpenVPN ) - this means that this router you are referring to https://www.gl-inet.com/products/gl-ar750s/ - comes with al the software pre-installed. I have a router similar to this one somewhere around here. I have no idea how the routing works on these devices. Think of it this way - these routers run normally " customized OpenWRT Firmware " . In any event your solution may be here : https://torguard.net/article/250/how-to-setup-wireguard-on-the-gli-gl-ar750s-openwrt-router.html I wrote this tutorial because WIREGUARD does not come pre-installed on regular standard OpenWRT router installation. I would suggest that you reset your router to its' defaults and follow the TorGuard Guide that I linked above, because WIREGUARD is designed to work out of the box once configured on this particular router. Just substitute your NORDVPN settings in the appropriate places.
THE FULL CORRECT ANSWER:
First - your router comes with OpenWrt based custom firmware. See release notes here: https://docs.gl-inet.com/en/3/release_notes/gl-ar750s-ext/ There is an online guide for this router on the manufacturer website see here: https://docs.gl-inet.com/en/3/setup/slate/first-time_setup/ . It details exactly how to set up WIREGUARD. As I thought WireGuard Server/Client pre-installed, supports Azirevpn and Mullvad service providers ( adapt it as per your needs for NORDVPN ) .You may have to upgrade your router's firmware to to their Firmware 3.0 as WIREGUARD only works with this version according to their website. Look here for how to upgrade your GL-AR750S-Ext firmware to the most current available release: https://docs.gl-inet.com/en/3/setup/slate/upgrade/ If you prefer a manual upgrade - this is the firmware from the official GL.iNet download site : https://dl.gl-inet.com/firmware/ar750s/ - ( BTW their downloads are labeled as OpenWRT ) Make sure that the manual update for your GL-AR750S-Ext Slate is done through the Web Gui ( aka the Admin Panel ). Select, download and upload the .tar file DO NOT SELECT THE .IMG File UNLESS YOU are ready to flash via Uboot. Uboot Flash process involves serial cables, taking your router apart and much more- so most folks do not even begin to take on this task. Uboot is for the technically advanced ONLY ! You have been advised and warned. Uboot process from OpenWRT Wiki : https://openwrt.org/docs/guide-user/installation/generic.flashing.serial
Directly From GL.iNet WebSite Web Gui ( aka the Admin Panel ) Manual Update Instructions : Note: You have to upload the .tar file. The .img file can only be flashed to the router through Uboot. Here is WireGuard setup from their guide: https://docs.gl-inet.com/en/3/app/wireguard/
I hope this helps - Peace and Grace -

Dear Jeff,
Hello - I really have not seen you post any replies to my answers concerning your inquiries about WireGuard on your GL-AR750S. However, I was so intrigued while writing up and researching the information for your GL-AR750S that I actually went out ( read - ordered on line ) one for myself. I have been playing with it for two days - and it performs well. If you get back to me, I will write up my experiences with the GL-AR750S. So, thanks for your questions - and I look forward to our communicating as soon as you are available to do so. However, I can share with you that my instructions were correct about how to run WireGuard on this router. The only way the advice which I offered in my original answer to you does not apply is if you flashed your GL-AR750S with OpenWRT Firmware instead of the GL.iNet OEM FirmWare
From their website:
OpenWRT provides many functionalities but it may be a little too complicated for everyone. GL.iNet provides on Slate a simplified GUI with essential functionalities available. OpenWRT Luci and ( UCI command line ) are also available at the same time for advanced users. So there are two Gui's; GL.iNet Admin Gui and Luci.Do not use uci command line either. For successful WireGuard connection on the GL-AR750S - you need to configure WireGuard through the GL.iNet Admin Gui. If you set up WireGuard through the GL.iNet Admin Gui ( not Luci ) - you can SSH into your router and you can run wg show and get the same read out if you were to do a standard WireGuard install on a standard OpenWRT router. I even installed luci-app-wireguard and it shows up under Status Drop Down Menu - and it will also show you that you are connected. See here: https://danrl.com/blog/2017/luci-proto-wireguard/ When I followed this guide above that I wrote for standard WireGuard ( on my WRT32x ) ( on myGL-AR750S ) - I got the same results as you did. I got the same outcome - that being - It's still routing the traffic through my router to my ISP. But it's strange because on the main login page it shows I'm connected to a VPN. So, I wish you well.
Peace and God Bless

Yes that was what confused me so much. It's as if I'm missing a particular setting that instructs the router to send the traffic through the WireGuard network connection we created.