Wifi to VPN (using Wireguard)

Hi All,

I have just wasted most of my Saturday getting nowhere on this, trying three different routers on OpenWrt and I have done at least 10 resets (after destroying the networking).

Task: I would like the wifi to go straight to the VPN (using Wireguard).

On the router itself, the Wireguard-VPN connection is fine (confirmed by pinging and curl -4 ifconfig.co)

Though, through the router's wifi I still get the ISP ip address and not the VPN (Wireguard) ip-address I would need.

I have read and followed this (no success):

In principle, it should be quite easy. I have tried the config zones in the /etc/config/firewall:

config forwarding
option src 'lan'
option dest 'wg0_zone'

I even put the src 'wan' to the wg0_zone as well. No luck.

I did have this working with another setup (using a guest network, with the guest virtual ap) but that setup blew the 128mb RAM router to bits a few times (reset was needed each time).

And one last point -- these routers are just access points on the home network, they all use lan-dhcp since I have an old PC doing the internet connection.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf1:6824:8994::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'wg0_int'
    option proto 'wireguard'
    option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    list addresses '10.5.1.4/32'

config wireguard_wg0_int
    option description 'XX'
    option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    list allowed_ips '0.0.0.0/0'
    option route_allowed_ips '1'
    option endpoint_port 'xxxxxx'
    option persistent_keepalive '15'
    option endpoint_host 'xxxxxxxxxx'

cat /etc/config/wireless

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxxxxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxx'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wg0_zone'

config forwarding
	option src 'wan'
	option dest 'wg0_zone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wg0_zone'
	option input 'ACCEPT'
	option forward 'ACCEPT'
        list network 'wg0_int'
	option masq '1'
	option output 'ACCEPT'

You only have a single network (lan), so it is currently all or nothing (wired + wireless) in terms of your connection through the VPN. If you want wireless only, you need to create a new network specifically for this purpose.

Your lan zone should not have masquerading enabled. Remove the masq line.

Meanwhile, with your firewall:
Remove this:

Input and forward should be set to reject if this is a commercial VPN or really anything other than a site-to-site or road-warrior type setup.

The wan zone should always have input and forward set to reject or drop (unless the immediate upstream network is fully trusted, such as the lan behind a primary router).

Thanks for the advice but I still have the same problem. The wlan1 is not directing to the wg0_int (the Wireguard vpn interface) but rather I'm still getting my isp's ip address.

what is the output of the following (run from the router itself):

wg show
traceroute google.com

Then run the same traceroute from your computer connected to the wifi.

The wg0_int connection on the OpenWrt router:

pgrep -f -a wg; wg show; wg showconf wg0_int
3 kworker/0:0-wg-
104 kworker/0:1-wg-
2554 wg-crypt-wg0_in
interface: wg0_int
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 55961

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: xx.xx.xx.xx:xxxxx
  allowed ips: 0.0.0.0/0
  latest handshake: 39 seconds ago
  transfer: 15.35 KiB received, 22.91 KiB sent
  persistent keepalive: every 15 seconds
[Interface]
ListenPort = 55961
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xx.xx.xx:xxxxx
PersistentKeepalive = 15

wg show
interface: wg0_int
  public key: xxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 55961

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: xx.xx.xx.xx:xxxx
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 39 seconds ago
  transfer: 16.35 KiB received, 24.28 KiB sent
  persistent keepalive: every 15 seconds

As you can see here, the wg0_int connection on the OpenWrt is working just fine.

There are two devices connected to this OpenWrt access point: both connected just fine, however, they are not using the wg0_int (Wireguard VPN) ip address, rather they are both still using the ISP ip-address.

What is the traceroute result from the router and then your computer?

I just noticed this issue:

The proto should be static if you are creating a lan via this router. If this is connected to an upstream network via the lan interface, your current config will not work the way you expect.

How is this device connected to the upstream network? Lan or wan?

1 Like

The OpenWrt device is just an access point and it is not router of the home network.

The traceroute from the old laptop goes straight to the ISP, as if the config forward command in the /etc/config/firewall is totally ignored.

However, if I create a 'guess network' with its own virtual access point -- then that config forward command for that zone (guest zone) in the /etc/config/firewall is not ignored.

It would be great to see the results... but... this is expected because...

You need to setup another network which is what you have discovered. Or, you can manually set the gateway/router for the client devices to the address of this Openwrt device, but that means not using DHCP on those systems.

EDIT: to elaborate a bit more... since the OpenWrt device is setup as a dumb AP and is simply bridging your wired and wifi networks, the DHCP server on your main router is advertising the main router as the gateway for the network. Therefore, the devices don't even know that the OpenWrt device exists as a gateway. As a result, you need to either setup a different network entirely (and then DHCP can advertise the OpenWrt gateway), or you need to set your client devices with static IPs and the router/gateway setting pointing to the OpenWrt device.

You got this totally wrong. No, I am not using OpenVPN.

If I set up a guest-network, with its own ip-range and its very own dhcp server -- then that will work.

That seems the only way it can work in OpenWrt. However, for this to work you need a fairly recent router with enough RAM. My old router with just 128 mb RAM does not seem to be enough.

That was a typo. I know you're using Wireguard. [EDIT: typo now corrected]

I know. That's what I was saying.

128MB of RAM is plenty for this purpose.

No, 128 mb is not enough. If that was the case, then the guest-network setup would not be crashing my router (I've had to do a reset already a few times now).

That is why I was looking for an alternative, but from what I have seen it does not exist with OpenWrt.

I've done it with 64MB RAM.

You're probably doing something else that is causing the issue.

No, I am not doing anything else which is causing the issue. Prove it or do not speculate.

If it is crashing the router, then you cannot claim it works.

If you'd like my help, don't patronize me. I've helped a lot of people with this exact type of setup, so I do know what I'm doing.

Maybe show some examples of your router crashing -- logs or something that shows the problem in detail? It might be something else that is going wrong (including potentially a failing or underpowered power supply).

This post was flagged by the community and is temporarily hidden.

Fine. I will now bow out of this conversation. When you do find the solution, you will see that everything I have said is correct. Or you may flail around for a while until you stumble upon it.

FWIW, I have been on this forum for a long time and I've earned the rank of "regular" (which is 2 trust levels above your current rank) -- approaching 300 solved threads. In the past, I also used to spend time on another networking forum where I had over 600 solutions (enterprise grade gear). This isn't my first rodeo, and I do this entirely as a volunteer. However, I don't do it when people are disrespectful to me.

3 Likes