VPN doesn't work

Hi.
I spent all the day to look to configure the surfshark VPN on my router.
I tried with Openvpn but it was too much difficult.
It was all in SSH and terminal.
I find the guide for wireguarda, that is a better way to do it.
The guide is very simple and from the website I can download a file with configuration and upload it.
In this way I can't do errors.
This is the guide and it's super easy to follow it.

I made exactly what they explain, but my vpn interface doesn't exchange data.
My ip is the same.
I made an hard reset too and configure only wireguard, but same problem.
I think that there is a little problem on my configuration that doesn't make it work, but I don't know where to see.
Can someone help me?
thank you.

I had other things that can be useful.
I cannot see the result of this command:
root@OpenWrt:~# /etc/config/firewall
-ash: /etc/config/firewall: Permission denied

root@OpenWrt:~# cat /etc/config/network

  

config interface 'loopback'

option device 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

  

config globals 'globals'

option ula_prefix 'fd35:4530:3f29::/48'

  

config device

option name 'br-lan'

option type 'bridge'

list ports 'lan1'

list ports 'lan2'

list ports 'lan3'

list ports 'lan4'

  

config interface 'lan'

option device 'br-lan'

option proto 'static'

option ipaddr '192.168.1.1'

option netmask '255.255.255.0'

option ip6assign '60'

  

config interface 'wan'

option device 'wan'

option proto 'dhcp'

  

config interface 'wan6'

option device 'wan'

option proto 'dhcpv6'

  

config interface 'TV'

option proto 'static'

option ipaddr '192.168.2.1'

option netmask '255.255.255.0'

list dns '8.8.8.8'

list dns '1.1.1.1'

  

config interface 'WG0'

option proto 'wireguard'

option private_key '**************************'

list addresses '10.14.0.2/16'

list dns '162.252.172.57'

list dns '149.154.159.92'

  

config wireguard_WG0

option description 'it-mil.conf'

option public_key '************************'

list allowed_ips '0.0.0.0/0'

option endpoint_host 'it-mil.prod.surfshark.com'

option endpoint_port '51820'
root@OpenWrt:~# ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000

    inet 192.168.192.173/24 brd 192.168.192.255 scope global wan

       valid_lft forever preferred_lft forever

10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000

    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan

       valid_lft forever preferred_lft forever

11: WG0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000

    inet 10.14.0.2/16 brd 10.14.255.255 scope global WG0

       valid_lft forever preferred_lft forever

12: wl0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000

    inet 192.168.2.1/24 brd 192.168.2.255 scope global wl0-ap0

       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro

default via 192.168.192.1 dev wan  src 192.168.192.173 

10.14.0.0/16 dev WG0 scope link  src 10.14.0.2 

95.174.64.235 via 192.168.192.1 dev wan 

192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

192.168.2.0/24 dev wl0-ap0 scope link  src 192.168.2.1 

192.168.192.0/24 dev wan scope link  src 192.168.192.173
root@OpenWrt:~# ip -4 ru

0: from all lookup local 

32766: from all lookup main 

32767: from all lookup default

It's not a command, but a text file.
Use cat here too.

1 Like

We do not know firewall settings yet but in the mean time make sure Route allowed IPs is enabled in the WG peer section.

1 Like

Thank you.

root@OpenWrt:~# cat  /etc/config/firewall

config defaults

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option synflood_protect '1'

  

config zone

option name 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

option mtu_fix '1'

list network 'lan'

  

config zone

option name 'wan'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

list network 'wan'

list network 'wan6'

  

config forwarding

option src 'lan'

option dest 'wan'

  

config rule

option name 'Allow-DHCP-Renew'

option src 'wan'

option proto 'udp'

option dest_port '68'

option target 'ACCEPT'

option family 'ipv4'

  

config rule

option name 'Allow-Ping'

option src 'wan'

option proto 'icmp'

option icmp_type 'echo-request'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-IGMP'

option src 'wan'

option proto 'igmp'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-DHCPv6'

option src 'wan'

option proto 'udp'

option dest_port '546'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-MLD'

option src 'wan'

option proto 'icmp'

option src_ip 'fe80::/10'

list icmp_type '130/0'

list icmp_type '131/0'

list icmp_type '132/0'

list icmp_type '143/0'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Input'

option src 'wan'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

list icmp_type 'router-solicitation'

list icmp_type 'neighbour-solicitation'

list icmp_type 'router-advertisement'

list icmp_type 'neighbour-advertisement'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Forward'

option src 'wan'

option dest '*'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-IPSec-ESP'

option src 'wan'

option dest 'lan'

option proto 'esp'

option target 'ACCEPT'

  

config rule

option name 'Allow-ISAKMP'

option src 'wan'

option dest 'lan'

option dest_port '500'

option proto 'udp'

option target 'ACCEPT'

  

config zone

option name 'TV'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

list network 'TV'

  

config forwarding

option src 'TV'

option dest 'wan'

  

config rule

option name 'TV'

option src 'TV'

option target 'ACCEPT'

  

config zone

option name 'vpn'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

list network 'WG0'

option masq '1'

  

config forwarding

option src 'lan'

option dest 'vpn'

I activated it now.
It wasn't active, but it doesn't work.
I think the connection is with VPN in this case, but internet doesn't work.
If I deactivate it, internet works correctly, but without VPN.
I don't know if it's a problem of VPN or configuration.

I almost solved the problem.
I accidentally installed OpenWrt SNAPSHOT firmware r23741-497012ab4e / LuCI Master git-23.223.85458-f7583b6
Oddly it works now.
The LAN network works perfectly, while the wifi internet does not work.
Can you suggest me some solution?
A thousand thanks.

Wifi is usually not enabled by default so have you enabled and configured it?

I can see the network and I can connect.
Without the VPN active I could navigate.
With VPN I can navigate only with LAN.

It helps if you share some more information, it looks like you have setup a guest wifi on a different subnet?
If that is the one you do not have a VPN connection from then that is because you did not allow it, you only allow from TV to wan see above.
If you want from TV to vpn also you have to allow that.

1 Like

I solve the problem.

It would be nice for us and others to learn how you solved the problem, so please explain :slight_smile:

I delete all the wifi network and the firewall I created before.
I create a new wifi network with the connection with LAN and it worked.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.