Strange wireguard problem with some websites

jwh · February 3, 2025, 9:04am

Hi folks,

I have some problem with a wireguard client configuration I will try to explain and write some premises:

I need to use VPN to connect to a website. I tried Surfshark app and it allows me to connect such a website.
I downloaded the wireguard configuration, to be used to configure wireguard and I used it in my android mobile, to configure Wireguard App, and it works completely (I can surf the web connected to VPN and I can reach the website I need)
I used the same file on my OpenWRT-23.05-5 router (I tried with two different routers: GL.iNet B2200 and Mango V300, both with OpenWRT firmware) and I can surf the web connected to VPN, but I cannot reach the website I need).

Some important considerations:

I am always testing with my android mobile connected to the same openwrt router. When I am using wireguard app on mobile I just disable wireguard connection on router, viceversa when I activate wireguard connection on openWRT router I disable wireguard connection on android app
to avoid DNS leak I use DNS provided by VPN service as default and only DNS. I also tried a DNSLeakTest and DNS are the expected ones.
MTU is 1350 in both configurations.

I attach hereafter some configuration for my router, wg1 is the wireguard client connection:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd03:5e64:e0bd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option force_link '1'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXX'
	option listen_port '51820'
	list addresses '10.0.0.1/32'
	option mtu '1350'

config wireguard_wg0
	option description 'Jolly'
	option public_key 'XXXXXXXXXXXXXXX='
	option private_key 'XXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '10.0.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXX='
	option mtu '1350'
	option force_link '1'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	list addresses '10.14.0.2/16'

config interface 'ov0'
	option proto 'none'
	option device 'tun0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_wg1
	option description 'NY'
	option public_key 'XXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'us-nyc.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

/etc/config/firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'AllowSSH'
	option src '*'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'AllowRA'
	option src '*'
	option dest_port '80'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'VpnClient'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg1'
	list network 'ov0'

config forwarding
	option src 'lan'
	option dest 'VpnClient'

Could you help me to understand what could be wrong?

frollic · February 3, 2025, 9:07am

are you sure your traffic's actually going through the tunnel ?

jwh · February 3, 2025, 9:09am

Quite sure
I also tried with whatsmyip.com and similar, and I get american IP.

Do you see anything wrong?

brada4 · February 3, 2025, 9:29am

Please post outputs of ubus call system board as your version makes no sense.

Usually vpn exit ranges get blacklisted very fast due to customers doing bad things. You can check if this is the case at least partially https://dnschecker.org/ip-blacklist-checker.php

jwh · February 3, 2025, 9:38am

 ___                     ___        _
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |__||   _|__||||__|||  |_|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "GL.iNet GL-B2200",
        "board_name": "glinet,gl-b2200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

IP is NOT blacklisted... and the strange thing I want to repeat is that the same configuration (but also the same IP) works in the Wireguard App downloaded from google play. This drives me crazy

egc · February 3, 2025, 10:59am

jwh:

config wireguard_wg1
	option description 'NY'
	option public_key 'XXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'us-nyc.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

If this is the WireGuard you are using then it is doubtful that traffic goes via this tunnel as option route_allowed_ips '1' seems missing

What is the output of (redact keys etc.):

wg show
ip route show

jwh · February 3, 2025, 11:07am

This is because I am actually using pbr, but I also tried routing all the traffic, and I had the same result

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '1.1.1.1'
	option enabled '0'

config policy
	option name 'wg1'
	option interface 'wg1'
	option dest_addr 'wantedDomains.com'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

jwh · February 3, 2025, 2:06pm

  ___                     ___        _
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |__||   _|__||||__|||  |_|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
root@OpenWrt:~# wg show
interface: wg0
  public key: XXXXXXXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 51820

peer: XXXXXXXXXXXXXXXXXXXXX=
  allowed ips: 10.0.0.2/32
  persistent keepalive: every 25 seconds

interface: wg1
  public key: XXXXXXXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 46069

peer: XXXXXXXXXXXXXXXXXXXXX=
  endpoint: 146.70.186.205:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 3 seconds ago
  transfer: 395.41 MiB received, 61.71 MiB sent
  persistent keepalive: every 25 seconds

root@OpenWrt:~# ip route show
default via 192.168.1.1 dev wan proto static src 192.168.1.249
10.0.0.2 dev wg0 proto static scope link
10.14.0.0/16 dev wg1 proto kernel scope link src 10.14.0.2
146.70.186.205 via 192.168.1.1 dev wan proto static
192.168.1.0/24 dev wan proto kernel scope link src 192.168.1.249
192.168.3.0/24 dev br-lan proto kernel scope link src 192.168.3.1
root@OpenWrt:~#

mk24 · February 3, 2025, 2:11pm

Since this appears to be an IPv4 only VPN, you need to be sure the endpoints aren't bypassing the VPN by using a local IPv6 connection. Does your ISP have IPv6? The simplest workaround is to disable v6 on the wan by removing wan6.

egc · February 3, 2025, 2:14pm

You have a good connection.

To rule out any PBR or DNS problem I would disable PBR and enable route allowed IPs if you still have this problem then I would lower the the MTU on the WG interface (although it already is somewhat lower).

Other thing to look at, if you have IPv6 on your network then your LAN clients might use IPv6 instead of IPv4 and you only route IPv4 via the WG tunnel.

To close that gap you can add to the Allowed IPs

list allowed_ips '::0/1'
list allowed_ips '8000::/1'

In case you are asking why not ::0/0, that is because IPv6 source routing is standard enabled

jwh · February 3, 2025, 2:41pm

IPv6 address that is not currently supported by Surfshark. So I shall most probably remove wan6. I will let you know. Thanks

jwh · February 3, 2025, 2:44pm

I tried to disable PBR ( enable route allowed IPs) some days back, I will try again later this evening. I will tryto reduce MTU as well, but 1350 is the one I used witrh the android app. As for the IPv6, address that is not currently supported by Surfshark, and I will most probably remove wan6 as suggested by mk24

egc · February 3, 2025, 2:45pm

I know it is not supported but if you add the allowed IPs you will at least close this gap and then your clients might fall back to IPv4

jwh · February 3, 2025, 8:39pm

It finally was PBR

I tried to disable and reboot and it is working now without pbr.

Probably I am not routing everything is needed. Thanks

system · February 13, 2025, 8:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.