[Solved] Windscribe Wireguard VPN

I have successfully installed the Wireguard and uploaded the windscribe config file. Also added firewall rules following a few setup guides from different VPN vendors. But for some reason, it does not connect successfully. Wanted to see what my next steps should to be troubleshoot the issue

About the firewall, the only thing you have to do is actually add the WG interface to the WAN zone.

But the most common mistake is that you did not enable Route Allowed IPs.

If you have that enabled and it is still not working then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show

@egc this is my firewall settings, not sure if they are right.

I have added Allowed IPs under Peer tab

Output of the commands:

etwork
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Team Newifi D2",
        "board_name": "d-team,newifi-d2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '******'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '******'
        list addresses '100.87.**.**/32'
        list dns '10.255.255.3'
        option mtu '1500'

config wireguard_wg0
        option description 'Windscribe-Dallas-Trinity.conf'
        option public_key '******'
        option preshared_key '******'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'dfw-414-wg.whiskergalaxy.com'
        option endpoint_port '443'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WireGuard'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'WireGuard'

config forwarding
        option src 'lan'
        option dest 'wan'

root@OpenWrt:~# ip route show
default via 192.168.68.1 dev wan  src 192.168.68.100
149.**.***.** via 192.168.68.1 dev wan
192.168.12.0/24 dev br-lan scope link  src 192.168.12.1
192.168.68.0/24 dev wan scope link  src 192.168.68.100
root@OpenWrt:~# wg show

Your Firewall looks OK, but it is often easier to just add the WireGuard interface (wg0) to the WAN zone for a simple client setup. But for now just leave it as it looks OK.

One problem I see as that you do not route the Allowed IPs.
In the WG peers section of the GUI tick/enable: Route Allowed IPs or add in the peers section of
the /etc/config/network:
option route_allowed_ips '1'

Make it so, Reboot and test again

If it still does not work post again the output of the earlier requested items, strange that wg show does not have any ouput that points to some underlying problem.
Is WireGuard implemented on the router at all?

1 Like

You probably want to reduce MTU to 1420 :slight_smile:

1 Like

It did the trick! A few questions if you don't mind:

  1. By turning on the Route Allowed IPs, traffic through WAN also gets cut off when I disable the VPN connection, is that expected?
  2. What is the difference between using this feature vs implementing a kill switch by removing wan from "Allow forward to destination zones" of lan firewall config?
  3. Ultimately, I want to set up the VPN so that a few devices (TV, and some media devices) can be routed through VPN whereas the majority of the devices should stay on standard WAN traffic. Occasionally, I might want my phone to switch to VPN from WAN network, Would using PBR be the best solution for it?

Thanks, adjusted! May I ask how to determine the right number for MTU? I upped the number following one of the guides I found online without knowing the implications of doing like.

When you disable the VPN connection the route is still in place, you need to restart the network (service network restart) to reinstate the default route via the WAN.
This is not a "kill switch" a kill switch is like you described i.e. removing FORWARD from lan to wan. But this is not compatible with your next question for which PBR is the solution: https://docs.openwrt.melmac.net/pbr/

About MTU your normal WAN MTU is 1500 and WireGuard has 80 bytes overhead (if IPv6 is used) so 1420 is the max (for PPPoE where the WAN is 1492 you use 1412).
Sometimes this is even too much and if you have slow/hanging connections especially when using streaming media you have to lower it below 1420 (1412)

Glad it is working.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.