I have just wasted most of my Saturday getting nowhere on this, trying three different routers on OpenWrt and I have done at least 10 resets (after destroying the networking).
Task: I would like the wifi to go straight to the VPN (using Wireguard).
On the router itself, the Wireguard-VPN connection is fine (confirmed by pinging and curl -4 ifconfig.co)
Though, through the router's wifi I still get the ISP ip address and not the VPN (Wireguard) ip-address I would need.
I have read and followed this (no success):
In principle, it should be quite easy. I have tried the config zones in the /etc/config/firewall:
config forwarding
option src 'lan'
option dest 'wg0_zone'
I even put the src 'wan' to the wg0_zone as well. No luck.
I did have this working with another setup (using a guest network, with the guest virtual ap) but that setup blew the 128mb RAM router to bits a few times (reset was needed each time).
And one last point -- these routers are just access points on the home network, they all use lan-dhcp since I have an old PC doing the internet connection.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
You only have a single network (lan), so it is currently all or nothing (wired + wireless) in terms of your connection through the VPN. If you want wireless only, you need to create a new network specifically for this purpose.
Your lan zone should not have masquerading enabled. Remove the masq line.
Meanwhile, with your firewall:
Remove this:
Input and forward should be set to reject if this is a commercial VPN or really anything other than a site-to-site or road-warrior type setup.
The wan zone should always have input and forward set to reject or drop (unless the immediate upstream network is fully trusted, such as the lan behind a primary router).
Thanks for the advice but I still have the same problem. The wlan1 is not directing to the wg0_int (the Wireguard vpn interface) but rather I'm still getting my isp's ip address.
pgrep -f -a wg; wg show; wg showconf wg0_int
3 kworker/0:0-wg-
104 kworker/0:1-wg-
2554 wg-crypt-wg0_in
interface: wg0_int
public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 55961
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: xx.xx.xx.xx:xxxxx
allowed ips: 0.0.0.0/0
latest handshake: 39 seconds ago
transfer: 15.35 KiB received, 22.91 KiB sent
persistent keepalive: every 15 seconds
[Interface]
ListenPort = 55961
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xx.xx.xx:xxxxx
PersistentKeepalive = 15
wg show
interface: wg0_int
public key: xxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 55961
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: xx.xx.xx.xx:xxxx
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 39 seconds ago
transfer: 16.35 KiB received, 24.28 KiB sent
persistent keepalive: every 15 seconds
As you can see here, the wg0_int connection on the OpenWrt is working just fine.
There are two devices connected to this OpenWrt access point: both connected just fine, however, they are not using the wg0_int (Wireguard VPN) ip address, rather they are both still using the ISP ip-address.
The proto should be static if you are creating a lan via this router. If this is connected to an upstream network via the lan interface, your current config will not work the way you expect.
How is this device connected to the upstream network? Lan or wan?
The traceroute from the old laptop goes straight to the ISP, as if the config forward command in the /etc/config/firewall is totally ignored.
However, if I create a 'guess network' with its own virtual access point -- then that config forward command for that zone (guest zone) in the /etc/config/firewall is not ignored.
It would be great to see the results... but... this is expected because...
You need to setup another network which is what you have discovered. Or, you can manually set the gateway/router for the client devices to the address of this Openwrt device, but that means not using DHCP on those systems.
EDIT: to elaborate a bit more... since the OpenWrt device is setup as a dumb AP and is simply bridging your wired and wifi networks, the DHCP server on your main router is advertising the main router as the gateway for the network. Therefore, the devices don't even know that the OpenWrt device exists as a gateway. As a result, you need to either setup a different network entirely (and then DHCP can advertise the OpenWrt gateway), or you need to set your client devices with static IPs and the router/gateway setting pointing to the OpenWrt device.
You got this totally wrong. No, I am not using OpenVPN.
If I set up a guest-network, with its own ip-range and its very own dhcp server -- then that will work.
That seems the only way it can work in OpenWrt. However, for this to work you need a fairly recent router with enough RAM. My old router with just 128 mb RAM does not seem to be enough.
No, 128 mb is not enough. If that was the case, then the guest-network setup would not be crashing my router (I've had to do a reset already a few times now).
That is why I was looking for an alternative, but from what I have seen it does not exist with OpenWrt.
If you'd like my help, don't patronize me. I've helped a lot of people with this exact type of setup, so I do know what I'm doing.
Maybe show some examples of your router crashing -- logs or something that shows the problem in detail? It might be something else that is going wrong (including potentially a failing or underpowered power supply).
Fine. I will now bow out of this conversation. When you do find the solution, you will see that everything I have said is correct. Or you may flail around for a while until you stumble upon it.
FWIW, I have been on this forum for a long time and I've earned the rank of "regular" (which is 2 trust levels above your current rank) -- approaching 300 solved threads. In the past, I also used to spend time on another networking forum where I had over 600 solutions (enterprise grade gear). This isn't my first rodeo, and I do this entirely as a volunteer. However, I don't do it when people are disrespectful to me.
