pgrep -f -a wg; wg show; wg showconf wg0_int
3 kworker/0:0-wg-
104 kworker/0:1-wg-
2554 wg-crypt-wg0_in
interface: wg0_int
public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 55961
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: xx.xx.xx.xx:xxxxx
allowed ips: 0.0.0.0/0
latest handshake: 39 seconds ago
transfer: 15.35 KiB received, 22.91 KiB sent
persistent keepalive: every 15 seconds
[Interface]
ListenPort = 55961
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xx.xx.xx:xxxxx
PersistentKeepalive = 15
wg show
interface: wg0_int
public key: xxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 55961
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: xx.xx.xx.xx:xxxx
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 39 seconds ago
transfer: 16.35 KiB received, 24.28 KiB sent
persistent keepalive: every 15 seconds
As you can see here, the wg0_int connection on the OpenWrt is working just fine.
There are two devices connected to this OpenWrt access point: both connected just fine, however, they are not using the wg0_int (Wireguard VPN) ip address, rather they are both still using the ISP ip-address.
The proto should be static if you are creating a lan via this router. If this is connected to an upstream network via the lan interface, your current config will not work the way you expect.
How is this device connected to the upstream network? Lan or wan?
The traceroute from the old laptop goes straight to the ISP, as if the config forward command in the /etc/config/firewall is totally ignored.
However, if I create a 'guess network' with its own virtual access point -- then that config forward command for that zone (guest zone) in the /etc/config/firewall is not ignored.
It would be great to see the results... but... this is expected because...
You need to setup another network which is what you have discovered. Or, you can manually set the gateway/router for the client devices to the address of this Openwrt device, but that means not using DHCP on those systems.
EDIT: to elaborate a bit more... since the OpenWrt device is setup as a dumb AP and is simply bridging your wired and wifi networks, the DHCP server on your main router is advertising the main router as the gateway for the network. Therefore, the devices don't even know that the OpenWrt device exists as a gateway. As a result, you need to either setup a different network entirely (and then DHCP can advertise the OpenWrt gateway), or you need to set your client devices with static IPs and the router/gateway setting pointing to the OpenWrt device.
You got this totally wrong. No, I am not using OpenVPN.
If I set up a guest-network, with its own ip-range and its very own dhcp server -- then that will work.
That seems the only way it can work in OpenWrt. However, for this to work you need a fairly recent router with enough RAM. My old router with just 128 mb RAM does not seem to be enough.
No, 128 mb is not enough. If that was the case, then the guest-network setup would not be crashing my router (I've had to do a reset already a few times now).
That is why I was looking for an alternative, but from what I have seen it does not exist with OpenWrt.
If you'd like my help, don't patronize me. I've helped a lot of people with this exact type of setup, so I do know what I'm doing.
Maybe show some examples of your router crashing -- logs or something that shows the problem in detail? It might be something else that is going wrong (including potentially a failing or underpowered power supply).
Fine. I will now bow out of this conversation. When you do find the solution, you will see that everything I have said is correct. Or you may flail around for a while until you stumble upon it.
FWIW, I have been on this forum for a long time and I've earned the rank of "regular" (which is 2 trust levels above your current rank) -- approaching 300 solved threads. In the past, I also used to spend time on another networking forum where I had over 600 solutions (enterprise grade gear). This isn't my first rodeo, and I do this entirely as a volunteer. However, I don't do it when people are disrespectful to me.
I had a DNSSEC error filling my log earlier this week that eventually made the router puke. I use a commercial VPN and suspect they are having some growing pains.
Also if: I know it was not mentioned here; have you integrated this on your network?
@psherman alluded that other things could be misconfigured or just broken (bugged); I tend to follow the avatars suggested yield sign. That's my caveat to your anticipated reply.
Thanks.
Additionally your firewall may be incorrectly setup. 'list network' should not be double indented. Try also adding in 'list device' with the same name as shown below. You should also place the forwarding below the config of the zone as this can sometimes cause issues when something is called for before it is even defined.
config zone
option name 'wg0_zone'
option input 'REJECT'
option forward 'ACCEPT'
list device 'wg0_int'
list network 'wg0_int'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wg0_zone'
You also should not be forwarding your wan to the wg0_zone, remove this completely. When you have this setup, any traffic that you did not initiate, i.e. a malicious actor trying to break into your network to be forwarded to your VPN.
config forwarding
option src 'wan'
option dest 'wg0_zone'
Lastly, have some respect for the people who come in here trying to help you. This person isn't paid to be here, this is something they do with the time they have outside of all the other obligations life provides to them. They deserve respect for even wanting to share some knowledge with you and everyone else on these forums.
This is a place to bounce around ideas and troubleshoot with peers to figure out your issue and this is not some professional support line or an echo chamber that you will give you the same perfect advise each time.
OpenWRT is a tinkerers paradise and any person that loves to tinker and tweak devices to do things they aren't designed to do knows that it is possible nobody has your answer. What this place can help provide is a place with more minds than just your own to brainstorm. If you aren't cut out to spend time on things that may never work to push a device beyond what it is capable of or to work with others and try ideas that may be wrong, go back to your default os and expect that anything out of SOP will get you the answer of "I am sorry we don't support that".
All of what you recommended I tried already, and no, it does not work. Then I started trying anything weird and irrational, and course that did not work.
You get to a certain point and realize: the OS does not work for this function.
Likewise, the WLAN0 -> tun0 did not work as well.
What I will look into is the 'dumb ap' documentation as that is exactly what I should have set up from the beginning since the device is not the main router of the home network, rather it's just a 'dumb ap'.
I reserve the right to hit back at trolls, that is why I did not bother to ask on reddit.com/r/openwrt, since reddit is nothing but trolls. Attacking is the best defence against these trolls, as one should do with any attempt at bullying.
I agree with @psherman here, and by the way, concerning your comment:
he is no troll. If you browse this forum you will see he has spent a lot of time like on this forum helping many others including myself.
As I understand it (and I am by no means a networking expert, but I am pretty confident this applies), you have an AP that is downstream of your main router. You ought to set DHCP on the main router on the network in question, and have the AP set with a static address. Setting DHCP on the downstream AP in this context doesn't make much sense to me.
a main router with both a main network (br-lan - 192.168.1.1) and a guest network (br-guest - 192.168.2.1). I have an AP (well two actually, but let's just consider the first) connected to the main router that extends both these networks (br-lan - 192.168.1.2) and a guest network (br-guest - 192.168.2.2). The latter are set as static - and the main router allocates IP addresses to clients that connect to AP, not the AP. You should read up on the dumb AP stuff and also the Guest WiFi stuff here:
Also I push everything over WireGuard with exceptions for specific devices as required. You can do this by setting appropriate rules - see e.g. here:
Surely I am a troll too and this is also bullying, but it is meant well, like the contributions above.