Solved: nordvpn OpenWrt wireguard client

  • Why does everyone need the forwarding from wan to wg zone?
  • Why do you think that ACCEPT a is proper input and forward policy for a public service?
4 Likes

Dear lleachii,
Hello and I hope that you are well. Yes - I am an Olde School Kappa - if that is what you are asking. Re: your advice ( which I am most grateful for ): If so:

Choose 2-3 DNS servers and setup a /32 static route to them
Assign those DNS servers directly to client, statically, or via DHCP Option 6, etc.
I wish to use the localhost ( 127.0.0.1 ) for the DNS on the WireGuard Tunnel as I run DNS Privacy ( aka DNS OVER TLS using DNS Privacy Daemon - Stubby ) - which runs on 127.0.0.1 port 5453 by default on OpenWrt . In other words I want to force WireGuard to use the DNS Servers I have chosen in my /etc/stubby/stubby.yml configuration file.
If you can show me or point me in the right direction to set this up - I would be greatly appreciative. Thanks in advice for your response and for your appreciation of my efforts and knowing that yes - before The Shimmy there was The Kappa Stroll

May God Always Smile Upon You and Yours -

In Peace and Grace,

directnupe

1 Like

Dear vgaetera,
Hello - and I hope that you are doing well and not too upset with the instructions in this effort of mine. I am far from an expert at this - so, I for one am always willing and eager to learn as to how to do things in the best way possible. With that said - regarding this setup - if you can provide me with the rationale and reasoning behind your comments; I am all ears.
Moreover, I certainly do not want to be in the position of imparting bad information to those who may read this tutorial.
So, if you would be kind enough to elaborate on your comments and please offer an alternative set up for the firewall rules on WIREGUARD ; I would certainly be grateful for that
information. Thanks in advance for your feedback, and I certainly take nor intended any offense in putting this tutorial together.
I cited the references I used in composing this guide and as a hobbyist - frankly, in most instances ; I am simply gratified that I got the damn thing to work. obviously, this may not always be the best attitude to have - in short - my knowledge and expertise is somewhat limited - and I will be the first to admit that fact.
So, I await your reply regarding the firewall rules for WIREGUARD - as I am very interested in the best security always when using the world wide web ( aka Internet ).

Peace and God Bless,

directnupe

Hello directnupe,
first, as per guidelines, please refrain from signing your posts, we know who wrote each post.

Regarding @vgaetera's questions:
You have allowed forwarding in the firewall from wan to wireguard zone. What traffic do you expect to follow this flow and why allow everything and not drop everything and allow the specific flow?

Wireguard firewall zone is open to the internet. What is the logic of using the ACCEPT policy for the INPUT and FORWARD rules instead of the default REJECT or DROP?

3 Likes

Dear trendy,
Hello and I do appreciate you availing me of the rules - I do realize that " ignorance of the law is no excuse " ( at least not for us peons ). I will not sign my posts in the future. Speaking of rules - I am still cloudy as to set up the FireWall Rules for WIREGUARD Client. Would you be kind to look over my amended configuration below and tell me if it is correct or not. Any advice that you are are kinf enough to offer me will be very appreciated.

Here is a setup I managed to find ::


config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option name 'Wireguard'
        option proto 'udp'
        option src '*'
        option dest_port '51820'
        option dest '*'

I am a retired English Teacher so I am somewhat proficient at research - but as I said I was unable to find a definitive guide as to how to do this - i.e. set up WireGuard on OpenWRT.
So - if you would be kind enough to take the time to grade my work with corrections; I will be forever grateful. Thank you in advance for your comments and advice.

Peace and God Bless

Personally, I haven't used Stubby - I'd have to point you to:

https://forum.openwrt.org/search?q=stubby

  • The first and last rules accepting WG input are redundant

Personally I would assign the wg0 interface in the wan firewall zone. Simpler and achieves the desired result.

This rule is not correct, as it allows forwarding of destination port 51820 from any zone to any zone.

config rule
        option enabled '1'
        option target 'ACCEPT'
        option name 'Wireguard'
        option proto 'udp'
        option src '*'
        option dest_port '51820'
        option dest '*'

The first rule is enough, however you can select source zone wan rather than * which is any.

1 Like

Dear lleachii,
Hello and thanks for your feedback and continued assistance as I go through this process. I appreciate your comment about the redundancy of the first and last rule in my setup of the firewall configuration.
I have corrected that error and once again - I appreciate you taking the time to set me straight. As for Stubby configuration for DNS on WireGuard - I will continue to search. However, would you be kinf to enough to explain to me and send an example the scenario that you first described -
Choose 2-3 DNS servers and setup a /32 static route to them
Assign those DNS servers directly to client, statically, or via DHCP Option 6, etc.
Maybe that will work for me. In any event, thanks for all you have done for me thus far.

Peace and God Bless

Dear trendy,
Hello and I have amended my firewall setup for WireGuard as per your suggestions. I truly wish to thank you for your taking the time to point out the errors that I was making with my set up. Further, I have amended this tutorial to reflect the the changes which you were king enough to suggest to me. Just to be sure - here is my amended setup :

config rule
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

The WireGuard connection is much better and responsive - so as I said; thanks a ton. I want to thank you for taking the time to look over my efforts and taking the time to get back to me.
Also, for those who may wish to do so ( and my own personal learning ) - do you do you know how to translate these rules into the correct corresponding uci commands. If you can point me in the right direction to achieve this end ; I would certainly appreciate it.
Also - can you provide an example of the setup you referred to in your earlier reply. Specifically Personally I would assign the wg0 interface in the wan firewall zone. Simpler and achieves the desired result. if it is not too much trouble or an imposition.

Peace

If you select to create a new firewall zone for wireguard, make sure there is some valid reason ( I can't think of any) to allow forwarding between wg and wan.

Sure, in wan zone edit the line
option network 'wan wan6'
and add wg0 interface.

2 Likes

Dear trendy,
Man at the risk of using a somewhat hackneyed phrase which truly expresses my gratitude to you for helping me with this setup " I can never begin to thank you enough " - I did as you instructed and added the 'wg0' interface in the wan firewall zone. It is as you said much simpler and does achieve the desired result. I will edit this tutorial to reflect this method.

Peace and God Bless You

PS - I honestly appreciate your kindness and assistance.

1 Like

I hope it works fine now for you and you are very welcome.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

Perhaps I'm a dummy, but I followed this instruction for part B precisely on a GL-AR750S and I'm not getting anything. It's still routing the traffic through my router to my ISP. But it's strange because on the main login page it shows I'm connected to a VPN.

What does ip route say?

1 Like

Dear Jeff,
Hello and I hope that you are well. I wrote this guide for a standard Router running OpenWRT. What you have is the GL.iNet Slate - known as a travel router. It more or less comes pre-installed with multiple VPN protocols support i.e. ( WireGuard and OpenVPN ) - this means that this router you are referring to https://www.gl-inet.com/products/gl-ar750s/ - comes with al the software pre-installed. I have a router similar to this one somewhere around here. I have no idea how the routing works on these devices. Think of it this way - these routers run normally " customized OpenWRT Firmware " . In any event your solution may be here : https://torguard.net/article/250/how-to-setup-wireguard-on-the-gli-gl-ar750s-openwrt-router.html I wrote this tutorial because WIREGUARD does not come pre-installed on regular standard OpenWRT router installation. I would suggest that you reset your router to its' defaults and follow the TorGuard Guide that I linked above, because WIREGUARD is designed to work out of the box once configured on this particular router. Just substitute your NORDVPN settings in the appropriate places.
THE FULL CORRECT ANSWER:
First - your router comes with OpenWrt based custom firmware. See release notes here: https://docs.gl-inet.com/en/3/release_notes/gl-ar750s-ext/ There is an online guide for this router on the manufacturer website see here: https://docs.gl-inet.com/en/3/setup/slate/first-time_setup/ . It details exactly how to set up WIREGUARD. As I thought WireGuard Server/Client pre-installed, supports Azirevpn and Mullvad service providers ( adapt it as per your needs for NORDVPN ) .You may have to upgrade your router's firmware to to their Firmware 3.0 as WIREGUARD only works with this version according to their website. Look here for how to upgrade your GL-AR750S-Ext firmware to the most current available release: https://docs.gl-inet.com/en/3/setup/slate/upgrade/ If you prefer a manual upgrade - this is the firmware from the official GL.iNet download site : https://dl.gl-inet.com/firmware/ar750s/ - ( BTW their downloads are labeled as OpenWRT ) Make sure that the manual update for your GL-AR750S-Ext Slate is done through the Web Gui ( aka the Admin Panel ). Select, download and upload the .tar file DO NOT SELECT THE .IMG File UNLESS YOU are ready to flash via Uboot. Uboot Flash process involves serial cables, taking your router apart and much more- so most folks do not even begin to take on this task. Uboot is for the technically advanced ONLY ! You have been advised and warned. Uboot process from OpenWRT Wiki : https://openwrt.org/docs/guide-user/installation/generic.flashing.serial
Directly From GL.iNet WebSite Web Gui ( aka the Admin Panel ) Manual Update Instructions : Note: You have to upload the .tar file. The .img file can only be flashed to the router through Uboot. Here is WireGuard setup from their guide: https://docs.gl-inet.com/en/3/app/wireguard/
I hope this helps - Peace and Grace -

Dear Jeff,
Hello - I really have not seen you post any replies to my answers concerning your inquiries about WireGuard on your GL-AR750S. However, I was so intrigued while writing up and researching the information for your GL-AR750S that I actually went out ( read - ordered on line ) one for myself. I have been playing with it for two days - and it performs well. If you get back to me, I will write up my experiences with the GL-AR750S. So, thanks for your questions - and I look forward to our communicating as soon as you are available to do so. However, I can share with you that my instructions were correct about how to run WireGuard on this router. The only way the advice which I offered in my original answer to you does not apply is if you flashed your GL-AR750S with OpenWRT Firmware instead of the GL.iNet OEM FirmWare
From their website:
OpenWRT provides many functionalities but it may be a little too complicated for everyone. GL.iNet provides on Slate a simplified GUI with essential functionalities available. OpenWRT Luci and ( UCI command line ) are also available at the same time for advanced users. So there are two Gui's; GL.iNet Admin Gui and Luci.Do not use uci command line either. For successful WireGuard connection on the GL-AR750S - you need to configure WireGuard through the GL.iNet Admin Gui. If you set up WireGuard through the GL.iNet Admin Gui ( not Luci ) - you can SSH into your router and you can run wg show and get the same read out if you were to do a standard WireGuard install on a standard OpenWRT router. I even installed luci-app-wireguard and it shows up under Status Drop Down Menu - and it will also show you that you are connected. See here: https://danrl.com/blog/2017/luci-proto-wireguard/ When I followed this guide above that I wrote for standard WireGuard ( on my WRT32x ) ( on myGL-AR750S ) - I got the same results as you did. I got the same outcome - that being - It's still routing the traffic through my router to my ISP. But it's strange because on the main login page it shows I'm connected to a VPN. So, I wish you well.
Peace and God Bless

Yes that was what confused me so much. It's as if I'm missing a particular setting that instructs the router to send the traffic through the WireGuard network connection we created.

Dear AgentJeffy,
The truth is that the GL-AR750S comes with the WireGuard interface already set up along with kmod - wireguard tools and all of that good stuff( under the hood somewhere ). GL-AR750S will also handle the firewall rules and routes once you create configure and add your Wireguard Profile. I have Torguard and NordVpn running Wireguard on this router. You can switch to and fro between services with just a few clicks. You can enter your profile manually or copy and paste the configuration you have into the first box that pops up after you enter your profile name. Use the tab for WireGuard Client - if you are using a commercial VPN provider for WireGuard. The best guide is this one - https://torguard.net/article/250/how-to-setup-wireguard-on-the-gli-gl-ar750s-openwrt-router.html - Once again I can not overemphasize that the tutorial above will screw up your router.
Reset and reflash your GL-AR750S -Here is listed the firmware - and links to download the firmware: https://docs.gl-inet.com/en/3/release_notes/. Just use the Built In WireGuard Section though the default GL.iNet Web Gui ( aka the Admin Panel ) and please forget the tutorial I wrote for NORDVPN in my OP - this advice is designed for you and your situation. By the way, WIREGUARD runs great on this little router Remember to use the tar file and flash though the default GL.iNet Web Gui ( aka the Admin Panel )
The main guide and information which I wrote above does not work on the GL-AR750S ; at least not if you are using the GL.iNet OEM FirmWare - which I am currently running - so I just used the pre-installed WIREGUARD app ( for lack of a better term ) that comes bundled with GL.iNet OEM FirmWare. This is how I achieved SUCCESS!
Peace

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.