[Solved] Wireguard client connected to OpenWrt router with 4G wwan - not working

Hello, I am struggling to understand why I do not have internet connectivity on my ubuntu laptop using wireguard VPN client. I have connected the laptop to OpenWrt router which gets its internet connection from a 4g modem. If I disable the VPN client on the laptop, I do get internet connectivity, if I use OpenVPN on the laptop I still get connectivity. Bear in mind I have not set VPN on the router at all, I am only using VPN clients on the end device.

I have noticed that using WG I still connect to the selected VPN server, but pinging google.com returns results very slowly, once every 5 seconds (interestingly, ping still shows as 50ish ms, though it is definitely more like 5000ms).

I tried connecting to a VPN server using a Windows PC - I get the same issue - connected to the server, but endless browser loading etc. basically no connection.

I then connected to a VPN server using the Android phone wirelessly connected to the same router with the 4G modem - this time WG worked and I had connection.

I am completely baffled what might be causing this and most of all why would the android device work while the others won't.

Connecting the laptop to the same OpenWrt router with wan port connected through a cable and running WG works just fine. It is only when I try to enable WG while the router gets its connection through wwan.

Many cellular ISPs do not provide a public IPv4 address. This is a requirement if you are attempting to connect via IPv4...

To find out if you have a public IP, take a look at the "IPv4 upstream" section of the LuCI main status page. Compare that against the result when you google "What's my IP"

If they do not match, you don't have a public IP. If in doubt, please post the first to octets of the IPv4 upstream (in bold: aaa.bbb.ccc.ddd).

I don't think he needs a public IP. All his connections are outbound. The wireguard "server" isn't on his router, it sounds like a public one.

Which server?

Can you share a redacted wireguard configuration for your laptop? Is it routing all traffic through the VPN?

I interpreted the OP as describing the 'server' as a 4G connected OpenWrt router....
@granuloma can you clarify?

If I have misunderstood, then my original comment is not relevant.

I am using a VPN provider (NordVPN), so I try to connect to said provider's servers. Indeed the IP4 I get from cellular network provider is not public.
Also, NordVPN are using nordlynx which is wireguard in essence but I do not know how to find the configuration on ubuntu, as it is not in the wg folder.

It should however be routing the traffic through VPN as I can connect normally to the VPN server when connected to the OpenWrt non-4G network (ie when disabling the wwan and plugging the wan cable back in).

But I do not think that the problem is the IP4 - I have used the same sim card on my android phone and when switching the hotspot on and connecting to it using the same laptop, I can enable WG and have connection. I believe it must be something I am missing on the router that is interfering somehow but then again the android simless phone connected by wifi to the router has WG connection.

Ok... my apologies for the incorrect interpretation of your situation, a public IP is not required (@VA1DER was correct).

Let's take a look at the router's configuration

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Without that configuration, it's really hard for us to do much to diagnose the issue. I will say it doesn't sound like an OpenWrt issue.

If we could tweak the configuration, we could set it up to exclude certain IP addresses from being routed through the VPN so we could compare pings out through the VPN with pings direct to their destination while the VPN was connected. We can't do that, though. I'm sorry, I really think you'll have to take this to NordVPN for resolution. Or find out if it's possible to tweak their configuration, or use a vanilla Wireguard client.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdxx:xxxx:xxxx::/48'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option device 'eth4'

config interface 'wan6'
	option device 'eth4'
	option proto 'dhcpv6'
	option type 'bridge'

config interface 'mobile_data'
	option proto 'modemmanager'
	option device '/sys/devices/pci0000:00/0000:00:14.0/usb1/1-11/1-11.2/1-11.2.1'
	option apn 'xxxxx'
	option auth 'none'
	option iptype 'ipv4v6'

config device
	option name 'eth0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option bridge_empty '1'

config device
	option name 'wwan0'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'mobile_data'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

remove the option type 'bridge' from both of these:

Delete this.

Reboot and try again. If it still doesn't work, let's also see the /etc/config/dhcp and /etc/config/wireless files/

I'd agree but then again, I have just transferred the SIM card back to my android phone, switched mobile hotspot on, connected to the phone on my laptop, then turned the VPN client with WG ON, and there is connectivity. That is why this problem is so bizarre. Maybe the problem lies with the 4g modem?

By the way, before switching to modemmanager, I tried connecting using qmi protocol, overall I could get online and WG worked on qmi, but I had some other issues with the modem that I could not resolve (basically if I had to change a setting I had to completely unplug the entire system from the plug before changes could be saved), there is a separate topic on that, though I do not think I will be going back to qmi.

@psherman, nope, did not have any effect.

Here are the other two files:

(check my previous response to VA1DER - when I used qmi before switching to modemmanager, I could connect via WG but encountered different issues)

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'mobile_data'
	option interface 'mobile_data''

config host
	option name 'laptop'
	option duid 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:1b.3/0000:04:00.0'
	option band '2g'
	option cell_density '0'
	option htmode 'HE40'
	option channel 'auto'
	option country 'BO'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid '2.4GHz'
	option key 'XXXXXXXX'
	option encryption 'psk2+tkip+ccmp'
	option skip_inactivity_poll '1'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:1b.3/0000:04:00.0+1'
	option band '5g'
	option cell_density '0'
	option htmode 'HE40'
	option txpower '23'
	option channel 'auto'
	option country 'BO'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '5GHz'
	option encryption 'psk2+tkip+ccmp'
	option key 'XXXXXXXXXX'
	option skip_inactivity_poll '1'

Does your mobile ISP provide you with IPv6. If not, that could be part of the issue. In that case, disable all the IPv6 items (last 4 lines)

The router gets assigned both an IPv4 and a IPv6 address, so it is not that either.

You were right all along, though for the wrong reasons - it is the IP address that caused this issue. It turns out NordVPN does not support IPv6, hence by switching the modem to IPv4 only, I managed to stay online while connected via Wireguard.

I feel so stupid, it should be one of the first things I checked. Oh well. I guess troubleshooting is always a pain and I never seem to be able to start with the obvious things, I just like getting deeper down a rabbit hole that does not even exist.

Anyway, thank you very much for your suggestions.

Glad I was able to help!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.