[Solved] Wireguard VPN - About To Call It Quits

OK to start off, first time here, and hello everyone!

I'm trying to add a router (Netgear R6250) specifically to use for Wireguard VPN (Surfshark). So, any device that connects to this router, will be going through the VPN.

My current home setup is ISP Router => 3 other APs. So the OpenWRT will be the 4th.

I have gotten the setup to work (though not sure if it is proper) this way:

  • OpenWRT as AP, with static IP and DHCP off.
  • Installing Wireguard with Surfshark VPN according to Surfshark's guide.
  • Setup the Firewall according to the Surfshark guide.
  • Setup Manual IP settings for each connecting device.

And at first, everything works great. Every device I've tried to connect goes through the VPN via the OpenWRT router. And if I connect to my other regular APs, internet does not go through the VPN.

This worked for several hours, and I thought I finally got it to work. HOWEVER, after going to sleep, the next day there's no Internet connection anymore through the OpenWRT router. Inspecting the Wireguard Interface, it seems the Surfshark VPN is not "Receiving" packets? If I delete the Wireguard interface and firewall rule, then I get Internet access again via the OpenWRT router (no VPN). Reinstalling/resetting/restarting the Wireguard interface doesn't solve this.

I'm not very Network savvy, and have been meddling with this setup for 4 days now: connecting via WAN port, staying with 192.168.1.1 settings, not turning DHCP off, screwing up all kinds of settings. And finally gotten to where I am now. I'm really getting frustrated now, and I think I'm at the end of my knowledge/capabilities here.

So could anyone be kind enough to help me with this issue? Thanks.

Here are screenshots of my setup.







Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
wg show
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear R6250 V1 (BCM4708)",
        "board_name": "netgear,r6250-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "bcm53xx/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf2:f5b7:4f65::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.88'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'

config device
        option name 'wan'
        option macaddr '6C:B0:CE:BD:E1:54'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'
        option listen_port '51820'

config wireguard_wg0
        option description '1'
        option public_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '93.152.212.137'
        option endpoint_port '51820'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0/bcma1:1'
        option channel 'auto'
        option band '2g'
        option cell_density '0'
        option country 'CN'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt260'
        option encryption 'psk2'
        option key 'xxx'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@OpenWrt:~# wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: 93.152.212.137:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 17.34 KiB sent
  persistent keepalive: every 25 seconds

OK, I hope this is correct.

So the fundamental issue is that you've got a dumb AP configuration where the DHCP server from your main router tells clients to use the main router (192.168.1.1) as the gateway. This means that the clients aren't even aware of the fact that they could use this router as a gateway.

What you can do is quite simple -- connect this device to the upstream using the wan port of the R6250. To make this work, you also need to change the subnet of the lan on this device... maybe use the address 192.168.5.1 (remove the gateway from the lan interface), and re-enable the DHCP server.

You'll also want to make sure that the SSID is not the same as your other APs so that you must specifically choose to connect to this one for the VPN to be in use (if it is the same, client devices may roam on and off of this AP and it will cause inconsistent behaviors).

1 Like

OK I'll give that a shot. Thank you.

Bust just to be sure I'm understanding you:

I need to change the IPv4 address to 192.168.5.1. Should I leave IPv4 gateway blank? Or 192.168.1.1?

Again, I'm not very Network savvy, so I just want to be sure. I just don't want to be locked out of the router and have to Reset again.

Yes, for the lan address.

blank.

Once you change the address (and re-enable the DHCP server), you'll need to make sure the upstream device is not conneted to the lan port anymore (now that connection will be via th wan port). You'll also need to renew your computer's DHCP lease -- you can do this by bouncing the connection, restarting your computer, or using the "renew" button if your OS gives you an option to do that.

Great thank you! I'll try this now and get back with the results!

OK so from the looks of it, it seems to be working! Send/Receive packets are being populated now in the Wireguard Interface. Thank you so much for your help!

You’re welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

OK done! Thank you so much again! :smiley:

Uhh....sorry to open this up again. But there seems to be a slight issue "somewhere".

Internet's definitely working through the OpenWRT router, and Wireguard also seems to be working since its both Transmitting and Receiving packets. However, it doesn't seem the internet traffic is really going "through" the VPN, if that makes sense at all?

To make things a bit more clear, I'm currently in a country that has internet restrictions. So what's happening is, regular sites can be accessed. But if I try to open a restricted site, it won't open. In Firefox, I'm getting a "pr_end_of_file_error". And when I try those "what's my IP" sites, some say I'm in the current country, while some say I'm in the VPN country. :crazy_face:

Are there any possible solutions to this?

Go to ipleak.net and see if your IP address and DNS address is in the country you are connecting to with WireGuard.

If so WG works.

OK, that site showed my IP was the VPN country, and 6 DNS servers, where only 1 was the VPN country and the other 5 the real country. :crazy_face:

So is this what is known as a DNS leak issue?

EDIT:

OK I think I got it now. I manually changed the DNS input for each device to the VPN's own DNS, and now everything works! :smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.