TorGuard VPN + Wireguard - route all traffic

So I have been working w/ TorGuard support past day or so just confirming their config generator and as of right now I am successfully getting a 3-way handshake connection working on my new VPN interface.

Goal is to route all devices LAN > WAN > LAN via VPN.

Right now I am looking for more direction on, how to apply VPN to LAN Traffic exiting and returning back from WAN.

I am presuming I need to set up some sort of default gateway/IP rules now?

(Attached is current router config, redacting all public IP addresses, however should be sufficient)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r19327-5959c46456
 -----------------------------------------------------
~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.50.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port '51820'
        list addresses 'xxxxxxxxxxxxxx'
        option force_link '1'
        option mtu '1292'
        option peerdns '0'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'Butters'
        option public_key 'P/ww/R0OlFyh1NQudHXDy3nLzrt6tNFjPkusZy9MCDo='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'xxxxxxxxxxxxxxx'
        option endpoint_port '1443'
        option persistent_keepalive '25'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WgVPN'
        option output 'ACCEPT'
        list network 'wg0'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'WgVPN'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xxxxxxxxxxxxxxxx brd xxxxxxxxxxxxxxx scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.50.1/24 brd 10.0.50.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1292 qdisc noqueue state UNKNOWN qlen 1000
    inet xxxxxxxxxxxxxxx brd xxxxxxxxxxxxxxx scope global wg0
       valid_lft forever preferred_lft forever
default via xxxxxxxxxxxxx dev wan  src xxxxxxxxxxxxxxxxxxx
10.0.50.0/24 dev br-lan scope link  src 10.0.50.1
xxxxxxxxxxxxxx dev wg0 scope link  src xxxxxxxxxxxx
xxxxxxxxxxxxxxxxx via xxxxxxxxxxxxxxxxxx dev wan
xxxxxxxxxxxxxxxxxx dev wan scope link  src xxxxxxxxxxxxxxxxxx
broadcast 10.0.50.0 dev br-lan table local scope link  src 10.0.50.1
local 10.0.50.1 dev br-lan table local scope host  src 10.0.50.1
broadcast 10.0.50.255 dev br-lan table local scope link  src 10.0.50.1
broadcast xxxxxxxxxxxxxx dev wg0 table local scope link  src xxxxxxxxxxxxxxx
local xxxxxxxxxxxxxxxx dev wg0 table local scope host  src xxxxxxxxxxxxx
broadcast xxxxxxxxxxxxxxxxxxx dev wg0 table local scope link  src xxxxxxxxxxxxxxx
broadcast xxxxxxxxxxxxxxxxxxx dev wan table local scope link  src xxxxxxxxxxxxxxxxxxxx
local xxxxxxxxxxxxxxxxx dev wan table local scope host  src xxxxxxxxxxxxxxxxxxxxxxxxx
broadcast xxxxxxxxxxxxxxxxxxxx dev wan table local scope link  src xxxxxxxxxxxxxxxxxxxxx
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
interface: wg0
  public key: 4smHOrLLU10f6DAvoU5KzKtn0isAIABj1YFx+j8HQS4=
  private key: (hidden)
  listening port: 51820

peer: P/ww/R0OlFyh1NQudHXDy3nLzrt6tNFjPkusZy9MCDo=
  endpoint: xxxxxxxxxxxxxxxx:1443
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 34 seconds ago
  transfer: 92 B received, 276 B sent
  persistent keepalive: every 25 seconds

Have you seen these tools?

Exactly what I am looking for!

The previous info was from 2 years ago I found from someone elses thread.

No prob, it took me several week to know the correct search terms to use to find this information. Glad it perked you up. I'm feeling the fist bump!

Let me shamelessly plug this it might be handy if you jump ship from TorGuard to SurfShark:

I actually both services, just didn't see wireguard at the time able to get config files.

I am still trying to make my way through user guide docs and google/YouTube before make a noob post lol.

I am going to check that out, if it's easier than setting up TORguard I'm all about it.

Will post an update here later..

I appreciate your help Bill and linking me up woth both resources.

I started with this guide and gave me all the info I needed for setting up Wireguard and routing all the traffic through it, leaving WAN and WAN6 with a higher metric just in case.

That was a cool 15 min video! We're still waiting for SurfShark to provide conf file like Mullvad.

Maybe you can use this tool to generate your own config file from your SuftShark private key:

Sad Face... That requires python and a different kernel for my case. Cool development tho. Thanks for the linkage!

You can do it in any computer, no need to run it in your router. You can even clone the repo and run it as a Github action.

In any case, wireguard basically only requires the tunnel and peer info, that basically is a pair of keys and a couple of IP addresses. What kind of info provides SuftShark for wireguard?

I followed this prior to posting in the forums for Torguard.
Did not work for me, also certain config elements TorGuard has that were not done for mulvad.

Great video though, also onemarcfifty has a great channel

TorGuard Config format.

# TorGuard WireGuard Config
[Interface]
PrivateKey = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
ListenPort = '12345'
MTU = 1292
DNS = x.x.x.x
Address = 'xxxxxxxxxxxxxxxxxx'

[Peer]
PublicKey ='xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
AllowedIPs = 0.0.0.0/0
Endpoint = 'xxxxxxxxxxxxxxxxxx'
PersistentKeepalive = 25

Thanks, generate config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig , then on openwrt:

1) click System drop-down menu, choose Software and install the package "luci-proto-wireguard"
2) On main menu select Network > Interfaces. Click "Add new interface". Give it a name like TGInterface and select Protocol WireGuard VPN and press submit.
3) Fill in fields using the values seen in the downloaded config.
4) On Advanced Settings tab check the box "Force link".
5) Click Network drop-down menu > Firewall. Add a new zone name it TGWireguard and set it to go from and to LAN and apply on TGInterface and set all to Accept and check box for masquerade then save
6) Click Network > DHCP and DNS settings, set DNS forwarding to: 8.8.8.8

apply and reboot router and check if IP changes.

Any comp w/ python.. < yeah or you could just use the confs from your router's shell.sh dwl to use WireGuard desktop app.

EDIT

Nothing yet! Just a wish list
https://surfshark.featureupvote.com/

It is impossible to help you if you do not explain what is the new elements you don't have. Usually you place here the config file after modifying, keys, passwords, IPs, and then we could see how to use that in OpenWrt.
With vague details you will only get vague answers.

With the data you share in your OP I see the problem probably is the lack of metric for each WAN interface. just assign a metric to each wan interface, the lower metric will route all the traffic if the interface is up. That way you don't have to worry about the firewall.
By the way, my VPNs, WAN and WAN6 are all in the same wan zone in the firewall. for a simple routing like that one you are describing, you don't need to create additional zones.

Grab a local installer for your brand of PC and test the conf file from your desktop.

It is a good way to test the data in the config file. But be aware that sometimes the files are not compatible with the app and you have to add the data manually.

@XODIA meaning this, not like the youtube video.

2022-04-01_1212241123×1307 104 KB

Exactly. The only problem is that someone outside your wan could send packets to be routed through your VPN. It is a risk, but very unlikely. To be 100% safe, creating a different zone for each wan adapter would be the safest, but not necessary.

Likely for fail since TorGuard did not supply him with second peer.

Example SurfShark

[Interface]
PrivateKey=KLVVJCdgouxxxxxxxx7XFs0AIlnZ0ZlXMxXwThrcH0=
Address=10.14.0.2/8
MTU=1350

[Peer]
PublicKey=o07k/2dsaQkLLSR0dCI/FUd3FLik/F/HBBcOGUkNQGo=
AllowedIPs=172.16.0.36/32
Endpoint=wgs.prod.surfshark.com:51820
PersistentKeepalive=25

[Peer]
PublicKey=PDALU3lNKMUngtLtfCAcfxrHq3C8AFzI/OVwlQd7WBQ=
AllowedIPs=0.0.0.0/0
Endpoint=us-tpa.prod.surfshark.com:51820
PersistentKeepalive=25

Maybe you can test this solution with Surfshark:

I am going to start from scratch with the steps provided to me from TORGuard support.

In the video that is configured using Mulvad, he doesn't have to configure any VPN routing policies or download the software in his explanation and yet is able to at least show his network tunneled through VPN.

If there is any more information that I can provide un-redacted that is not public IPs on configuration let me know.

Otherwise, going to just hit the VPN Policy document on routing.
I learn by doing