[Solved] Wireguard AirVPN + pbr, Firewall settings issue

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi I have been using openwrtx86 for 2 weeks (on and off) so totally newbie here, only really ever used windows, web ui interfaces and come from an Asus Merlin Router but am trying to move over to openwrtx86, so not quite expert networking skills. Have watched many Van tech videos to learn though that guy is great.

Very simple home set up. ISP Router (in modem mode) connected to openwrtx86 old PC with 4 port intel nic card, 2 devices (1 computer and Unifi Access point) connected via LANs.

I got the basics set up, LAN/Wan, 2 spare LAN ports (Bridged) and internet is working fine on home network all devices.

AirVPN has been set up as an WGVPN client and working successfully, I used Mullvad Wireguard setup guide but used AirVPN settings instead (ie dns,private/public keys etc). This works beautiful and maxes out my broadband speeds, also got pbr running with my devices using AirVPN or WAN (Clear isp net).

However my Firewall settings are blocking pbr from working successfully so I think I have something wrong with my firewall configuration.

These are the settings I currently use:

Add new firewall zone
From the Network drop-down menu, click on Firewall.

Under Zones. Create a new zone and set it up as shown below. We named ours "WGZONE" (my AirVPN WG).

Input: reject
Output: accept
Forward: reject
Masquerading: checked
MSS clamping: checked
Covered networks: WGINTERFACE (my AirVPN WG)

Click Save

Click on Edit the lan zone and set "Allow forward to destination zones" to WGZONE:WGINTERFACE" as the only option under allowed destinations.

zones
zones948×268 27.5 KB

I currently have no firewall settings in place (from mullvad guide above), I have to do this so it allows me to use AirVPN WG and pbr working on my devices, till I fix it so figured to ask here.

Would the mullvad vpn guide firewall settings work with pbr ?
(the settings appear similar to the ones exampled under pbr notes here I think)

What does this firewall VPN type zone do exactly?

And does anyone have a better way to do the Firewall settings correctly so they actually work with my Air or any VPN provider and with Policy based routing?

Appreciate any advice or tips here since its almost the final bit to get me up and running and fully convert to openwrtx86.

2

Can you be specific about what is not working?

Your firewall looks fine (from what we can see in the screenshot) except for the fact that you have removed lan > wan forwarding. This is fine if you want all of your traffic to go through the tunnel and you don't want any to egress via the regular wan. However, this would likely prevent PBR from successfully routing stuff through the wan that should bypass the VPN.

2 Likes
3

thanks psherman

Well with those current mullvad firewall settings and with lan > WGZONE forwarding
it was stopping any pbr wan/isp clearnet devices on my policies from working so they had no internet.

So I have added Allow forward to destination zones: WGZONE/WG0/WAN/WG0 in there now and saved it.

This is how it currently looks:

Fw with lan to wan back again
Fw with lan to wan back again1441×1156 177 KB

Fw with lan to wan back again2
Fw with lan to wan back again21571×1305 171 KB

Does that look correct?

So now Lan> Wan+WGZone forwarding is now making everything work fine under pbr
and all devices can now use AirVPN or WAN (clear isp net).

4

No... the WG0 network appears to be a member of the wan zone... only the wan network should be a member of the wan zone, and the WG0 network should be only be a member of the wgzone zone.

1 Like
5

I must have something wrong in my configuration then when I try to just add wan under the drop down list its jointed with WG0 always. I believe it auto sets like this when I add my WG0 or WGAir interface and add WAN in the firewall settings.

I think merging Van techs Wireguard tutorial and mullvad guide maybe confusing my configuration a little here. I will re-check this..

6

If you go into the Wireguard network interface definition in LuCI and then select which firewall zone it belongs to, hopefully you can solve that issue. If not, you can go into the wan zone firewall config and remove the wireguard network as a covered network... or, failing that, we can fix it in the text config...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like
7

I think I figured out where I was going wrong, I was adding a wan firewall rule under the WG interface while following van techs guide to get internet working, but needed to ignore this and stick to mullvad firewall settings guide so think its a bit better now.

I tried to clean up the naming of zones and interface so WGZone is just the WGZone
and WGInterface is my AirVPN.

I might have it wrong still but getting there, how does this appear to you?

better I wonder1
better I wonder11452×1281 166 KB

better I wonder2
better I wonder21354×1085 151 KB

better I wonder3
better I wonder31357×1079 149 KB

8

Just to add policy routing appears fine, I can flick any static device to wan clear net or VPN and it works.

I hope the above firewall rules are ok, thanks again psherman for all the advice.

9

looks good!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.