Trouble setting up wireguard client on OpenWrt

Hello

I have an Asus RT-AC51U router which I have flashed with latest OpenWrt for that router. I have installed the wireguard protocol and set up a connection to a VPN server. I get a handshake on WireGuard stats, however traffic from devices is not routed through the interface.

The Asus router is connected to my ISP router (192.168.0.1), I have set lan interface on OpenWrt to be a static address 192.168.1.1 with 192.168.0.1 to be my gateway.

Am I missing something? What is the reason I get a handshake but my devices still show my ISP IP?

Only devices connected to the OpenWrt router (on the 192.168.1.0/24 network) will be sent through the tunnel.

Let's see the configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Yes, but those devices are not sent through the tunnel, this is specifically what the problem is.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd63:f05d:3284::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config device
	option name 'wg'
	option ipv6 '1'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list addresses '10.5.0.2/32'
	list dns '103.86.96.100'
	list dns '103.86.99.100'
	option metric '10'
	option auto '0'

config wireguard_wg
	option description 'uk1905.nordvpn.com'
	option public_key 'K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'uk1905.nordvpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	
	
	
	
cat /etc/config/firewall	
	
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config zone
	option name 'wgfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg'

config forwarding
	option src 'lan'
	option dest 'wgfirewall'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

remove the gateway from below:

Remove this stanza:

Remove the last 2 lines if this stanza (assuming you want to tunnel everything):

Delete this:

and this:

Then restart and try again.

Thank you, that worked. However, running a dns leak test, it exposes my ISP. I have set DNS server IPs for the wg interface. What could be causing this?

NVM, I unchecked wan and wan6 to use DNS advertised by peer, that fixed the issue.

I noticed. I didn't say anything about it because it doesn't cause problems (i.e. making things fail to work), but it actually doesn't do anything either.

You need to set the desired DNS server in dnsmasq.

by the way, due to the nature of setting up this client, if I add more peers to the wg interface, how would it use them? I am going to add a killswitch, but I also want to add different peers as a failsafe, if for example connection to one of the server drops, would something like that be even possible? Or should I create a separate interface for each server?

There are posts about using commercial VPNs with multiple interfaces/peers... search the forum and you should be able to find those -- compete with explanations about how to achieve that goal.

1 Like

so i removed lan to wan firewall zone forwarding to act as a killswitch, but after reenabling it, internet connectivity is not restored. It is not restored when I stop the wg interface, it is not even restored after reboot. Does the /etc/config/firewall order matter? Obviously when I reenabled fw zone forwarding from lan to wan, it went at the bottom of the config. Literally nothing else changed yet after a reboot, there is no connectivity either through wg or with wg interface disabled...

This has to do with the way the routing tables are updated.

Once you disable Wireguard, you need to restart the wan interface.

I have configured wg interface NOT to start on reboot, rebooted and still the same. no network at all.
I feel more and more like LuCI is kind of useless when it comes to a bit more complex tasks. Guess I will have to stick to changing configurations through the CLI.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Did you re-enable the lan > wan forwarding?
Did you change your DNS settings?

aah I forgot to reenable the ISP DNS. Thank you, that explains it.

you're welcome.

1 Like

But that makes me think:
If I restart my router with wg interface set to start at boot, ISP DNS have to be enabled at start so the wg interface establishes a connection to the VPN server. That means every time the router starts, I will have to disable peer DNS, and then disable the zone forwarding from lan to wan manually in order to activate the killswitch. Even if I were to write a bash script, there is still going to be a moment in time where my DNS is leaking and the killswitch is not enabled. Furthermore, if the connection to the VPN server drops, I will then have to reenable the lan-to-wan fw zone, and the ISP DNS, in order to connect to another server. Okay, so this is a pretty complex task and given my knowledge, I am sure I will just have to live to do that manually, so I am not going to attempt to automate that.

However, this still means that my endpoint device is going to be exposed, or leaking DNS. Is there any option to enable the wg interface for a specific mac address connected to the router? That way my end point device (my laptop) wouldn't be exposed at any given moment of time, even if the connection drops, until I connect to another server manually.

Maybe I will have to add specific traffic rules but I am unsure what exactly needs to be done. I only have the concept which I have described but I am very confused how to approach this problem.

Not entirely.

The kill switch can always be active. That affects the lan > wan forwarding. The router's own traffic is not part of the lan zone.

But, you need to use a public DNS server (doesn't need to be your ISPs or the DHCP advertised ones) so that 2 things can happen:

  1. NTP must sync to ensure proper time. Without accurate time, the VPN cannot establish a connection.
  2. You must be able to resolve the domain name for your remote VPN endpoint (unless it has a static IP that therefore doesn't require DNS).

Personally, I use a public DNS (such as 8.8.8.8) for my travel-endpoint (road warrior config that connects to my home) so that my device can reliably resolve the 'home' vpn endpoint. Once the tunnel is up, all the DNS traffic to 8.8.8.8 actually goes through the tunnel and egresses on the far side of my tunnel (home, in my case). So while it is true that this configuration would represent a DNS leak in the strict definition, the local side of your connection would not be able to observe the DNS in any way since it would be encrypted through the tunnel to the far end and then it would egress from that endpoint.

1 Like

Thank you for the heads-up. I now ran into another problem. It seems wg masks my ISP IPv4 but not my IPv6, it still leaks. I connected a second device to the router while the other one is busy, but I disconnected the first one, from what I've read since there is a chance my ISP only assigns only IPv6 to my network that one might have been used by the laptop? Or, maybe because the OpenWrt router is behind my ISP router?

My ISP provided IPv6 is xxxx:xxx:xxx:xxxx::/64, that means I can use the rest. Still wondering how to mask it though, I have gone troubleshooting but really most cases are for setting up a VPN server on OpenWrt and not for using a commercial VPN server.

EDIT: Right, I keep making simple mistakes, it's time to go to bed.
All this time I had been connected to my OpenWrt via cable and to my ISP router wirelessly from the same device.
Then I wonder why I get leaks.
Oh. My. God.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.