Wifi to VPN (using Wireguard)

The wg0_int connection on the OpenWrt router:

pgrep -f -a wg; wg show; wg showconf wg0_int
3 kworker/0:0-wg-
104 kworker/0:1-wg-
2554 wg-crypt-wg0_in
interface: wg0_int
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 55961

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: xx.xx.xx.xx:xxxxx
  allowed ips: 0.0.0.0/0
  latest handshake: 39 seconds ago
  transfer: 15.35 KiB received, 22.91 KiB sent
  persistent keepalive: every 15 seconds
[Interface]
ListenPort = 55961
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xx.xx.xx:xxxxx
PersistentKeepalive = 15

wg show
interface: wg0_int
  public key: xxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 55961

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: xx.xx.xx.xx:xxxx
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 39 seconds ago
  transfer: 16.35 KiB received, 24.28 KiB sent
  persistent keepalive: every 15 seconds

As you can see here, the wg0_int connection on the OpenWrt is working just fine.

There are two devices connected to this OpenWrt access point: both connected just fine, however, they are not using the wg0_int (Wireguard VPN) ip address, rather they are both still using the ISP ip-address.

What is the traceroute result from the router and then your computer?

I just noticed this issue:

The proto should be static if you are creating a lan via this router. If this is connected to an upstream network via the lan interface, your current config will not work the way you expect.

How is this device connected to the upstream network? Lan or wan?

1 Like

The OpenWrt device is just an access point and it is not router of the home network.

The traceroute from the old laptop goes straight to the ISP, as if the config forward command in the /etc/config/firewall is totally ignored.

However, if I create a 'guess network' with its own virtual access point -- then that config forward command for that zone (guest zone) in the /etc/config/firewall is not ignored.

It would be great to see the results... but... this is expected because...

You need to setup another network which is what you have discovered. Or, you can manually set the gateway/router for the client devices to the address of this Openwrt device, but that means not using DHCP on those systems.

EDIT: to elaborate a bit more... since the OpenWrt device is setup as a dumb AP and is simply bridging your wired and wifi networks, the DHCP server on your main router is advertising the main router as the gateway for the network. Therefore, the devices don't even know that the OpenWrt device exists as a gateway. As a result, you need to either setup a different network entirely (and then DHCP can advertise the OpenWrt gateway), or you need to set your client devices with static IPs and the router/gateway setting pointing to the OpenWrt device.

You got this totally wrong. No, I am not using OpenVPN.

If I set up a guest-network, with its own ip-range and its very own dhcp server -- then that will work.

That seems the only way it can work in OpenWrt. However, for this to work you need a fairly recent router with enough RAM. My old router with just 128 mb RAM does not seem to be enough.

That was a typo. I know you're using Wireguard. [EDIT: typo now corrected]

I know. That's what I was saying.

128MB of RAM is plenty for this purpose.

No, 128 mb is not enough. If that was the case, then the guest-network setup would not be crashing my router (I've had to do a reset already a few times now).

That is why I was looking for an alternative, but from what I have seen it does not exist with OpenWrt.

I've done it with 64MB RAM.

You're probably doing something else that is causing the issue.

No, I am not doing anything else which is causing the issue. Prove it or do not speculate.

If it is crashing the router, then you cannot claim it works.

If you'd like my help, don't patronize me. I've helped a lot of people with this exact type of setup, so I do know what I'm doing.

Maybe show some examples of your router crashing -- logs or something that shows the problem in detail? It might be something else that is going wrong (including potentially a failing or underpowered power supply).

Fine. I will now bow out of this conversation. When you do find the solution, you will see that everything I have said is correct. Or you may flail around for a while until you stumble upon it.

FWIW, I have been on this forum for a long time and I've earned the rank of "regular" (which is 2 trust levels above your current rank) -- approaching 300 solved threads. In the past, I also used to spend time on another networking forum where I had over 600 solutions (enterprise grade gear). This isn't my first rodeo, and I do this entirely as a volunteer. However, I don't do it when people are disrespectful to me.

3 Likes

This time you got very, very wrong. You should have left it much earlier.

Greetings
A diagram might be helpful to know whos who.

I had a DNSSEC error filling my log earlier this week that eventually made the router puke. I use a commercial VPN and suspect they are having some growing pains.

Something Else Going On ~ Puked
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.820394] wpa_supplicant invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.831162] CPU: 0 PID: 1293 Comm: wpa_supplicant Not tainted 5.10.127 #0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.838342] Stack : 00000840 800bf298 807f0000 806ecba8 00000000 00000000 00000000 00000000
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.847114]         00000000 00000000 00000000 00000000 00000000 00000001 81fdfbc8 4d69653c
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.855862]         81fdfc60 00000000 00000000 81fdfa70 00000038 80396264 00000000 ffffffea
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.864603]         000000b8 81fdfa7c 000000b8 80781aa8 81fdfba8 806bb240 80000000 00000000
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.873378]         808089a0 00000000 00100cca 00000840 00000000 803fb7c8 00000000 80940000
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.882134]         ...
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.884754] Call Trace:
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.884766] [<800bf298>] 0x800bf298
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.891086] [<80396264>] 0x80396264
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.894776] [<803fb7c8>] 0x803fb7c8
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.898479] [<8006697c>] 0x8006697c
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.902166] [<80066984>] 0x80066984
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.905870] [<801514ec>] 0x801514ec
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.909560] [<80151d78>] 0x80151d78
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.913250] [<80152724>] 0x80152724
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.916954] [<80195494>] 0x80195494
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.920648] [<8014e0f4>] 0x8014e0f4
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.924344] [<8014ff04>] 0x8014ff04
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.928047] [<80393314>] 0x80393314
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.931737] [<8017a0fc>] 0x8017a0fc
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.935427] [<8017f768>] 0x8017f768
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.939130] [<8020fd48>] 0x8020fd48
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.942821] [<8006fe64>] 0x8006fe64
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.946524] [<800752ec>] 0x800752ec
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.950223]
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.951846] Mem-Info:
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294] active_anon:91 inactive_anon:790 isolated_anon:0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294]  active_file:0 inactive_file:171 isolated_file:0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294]  unevictable:0 dirty:0 writeback:0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294]  slab_reclaimable:244 slab_unreclaimable:7990
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294]  mapped:2 shmem:78 pagetables:109 bounce:0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.954294]  free:1811 free_pcp:8 free_cma:0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103306.986335] Node 0 active_anon:364kB inactive_anon:3160kB active_file:0kB inactive_file:684kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:8kB dirty:0kB writeback:0kB shmem:312kB writeback_tmp:0kB kernel_stack:448kB all_unreclaimable? yes
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.009684] Normal free:7244kB min:8192kB low:10240kB high:12288kB reserved_highatomic:0KB active_anon:364kB inactive_anon:3160kB active_file:0kB inactive_file:684kB unevictable:0kB writepending:0kB present:65536kB managed:56780kB mlocked:0kB pagetables:436kB bounce:0kB free_pcp:32kB local_pcp:32kB free_cma:0kB
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.038214] lowmem_reserve[]: 0 0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.041735] Normal: 179*4kB (UM) 154*8kB (UM) 75*16kB (UM) 38*32kB (UM) 9*64kB (UM) 10*128kB (UM) 2*256kB (UM) 1*512kB (U) 0*1024kB 0*2048kB 0*4096kB = 7244kB
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.056541] 249 total pagecache pages
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.060408] 0 pages in swap cache
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.063921] Swap cache stats: add 0, delete 0, find 0/0
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.069413] Free swap  = 0kB
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.072474] Total swap = 0kB
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.075530] 16384 pages RAM
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.078506] 0 pages HighMem/MovableOnly
Wed Jul 13 11:35:53 2022 kern.warn kernel: [103307.082555] 2189 pages reserved
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.085890] Tasks state (memory values in pages):
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.090835] [  pid  ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj name
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.099842] [    518]    81   518      339       25    20480        0             0 ubusd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.108389] [    519]     0   519      249       10    20480        0             0 askfirst
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.117204] [    554]     0   554      277       14    16384        0             0 urngd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.125753] [    915]   514   915      335       37    20480        0             0 logd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.134199] [    969]     0   969      600       86    24576        0             0 rpcd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.142659] [   1289]     0  1289      664       26    20480        0             0 hostapd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.151392] [   1290]     0  1290      664       26    20480        0             0 wpa_supplicant
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.160751] [   1293]   101  1293     1097       29    24576        0             0 wpa_supplicant
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.170105] [   1294]   101  1294     1097       28    24576        0             0 hostapd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.178832] [   1419]     0  1419      328       12    20480        0             0 crond
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.187379] [   1491]     0  1491     1036       63    24576        0             0 uhttpd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.196018] [   1692]     0  1692      302       13    16384        0             0 dropbear
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.204822] [   2382]     0  2382      664       26    16384        0             0 ntpd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.213282] [   2431]   123  2431      327       11    20480        0             0 ntpd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.221742] [   8380]     0  8380      307       16    20480        0             0 dropbear
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.230558] [   8381]     0  8381      327       11    20480        0             0 ash
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.238927] [   8686]     0  8686      449       38    20480        0             0 netifd
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.247564] [   9011]     0  9011      327       11    16384        0             0 udhcpc
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.256203] [   9204]     0  9204      664       26    20480        0             0 dnsmasq
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.264917] [   9207]   453  9207      757       42    20480        0             0 dnsmasq
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.273649] [   9547]     0  9547      777      229    20480        0             0 luci
Wed Jul 13 11:35:53 2022 kern.info kernel: [103307.282101] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),global_oom,task_memcg=/,task=luci,pid=9547,uid=0
Wed Jul 13 11:35:53 2022 kern.err kernel: [103307.292747] Out of memory: Killed process 9547 (luci) total-vm:3108kB, anon-rss:912kB, file-rss:4kB, shmem-rss:0kB, UID:0 pgtables:20kB oom_score_adj:0
Wed Jul 13 11:39:15 2022 daemon.notice netifd: Interface 'wg0' has lost the connection

Also if: I know it was not mentioned here; have you integrated this on your network?


@psherman alluded that other things could be misconfigured or just broken (bugged); I tend to follow the avatars suggested yield sign. That's my caveat to your anticipated reply.
Thanks.

1 Like

What I am somewhat disappointed here is that too many comments have focused of the software and not on the hardware.

I am using a TP-Link AC1700 (ver 2) which I think is an excellent router -- it was designed for what it does very well. But it is not a PC.

By pushing these boundaries on the TP-Link router I hit the brick wall. To do what I need, I do need hardware which is designed for more flexibility.

And of course, OpenWrt is full of bugs -- like an OS is. Is this a bug? Who knows, but I concentrate on a solution for me.

I am not sure this will make a difference but try changing the persistent_keepalive to be 25 in your /etc/config/network:

config wireguard_wg0_int
    option description 'XX'
    option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    list allowed_ips '0.0.0.0/0'
    option route_allowed_ips '1'
    option endpoint_port 'xxxxxx'
    option persistent_keepalive '25'
    option endpoint_host 'xxxxxxxxxx'

Additionally your firewall may be incorrectly setup. 'list network' should not be double indented. Try also adding in 'list device' with the same name as shown below. You should also place the forwarding below the config of the zone as this can sometimes cause issues when something is called for before it is even defined.

config zone
	option name 'wg0_zone'
	option input 'REJECT'
	option forward 'ACCEPT'
    list device 'wg0_int'
    list network 'wg0_int'
	option output 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wg0_zone'

You also should not be forwarding your wan to the wg0_zone, remove this completely. When you have this setup, any traffic that you did not initiate, i.e. a malicious actor trying to break into your network to be forwarded to your VPN.

config forwarding
	option src 'wan'
	option dest 'wg0_zone'

Lastly, have some respect for the people who come in here trying to help you. This person isn't paid to be here, this is something they do with the time they have outside of all the other obligations life provides to them. They deserve respect for even wanting to share some knowledge with you and everyone else on these forums.

This is a place to bounce around ideas and troubleshoot with peers to figure out your issue and this is not some professional support line or an echo chamber that you will give you the same perfect advise each time.

OpenWRT is a tinkerers paradise and any person that loves to tinker and tweak devices to do things they aren't designed to do knows that it is possible nobody has your answer. What this place can help provide is a place with more minds than just your own to brainstorm. If you aren't cut out to spend time on things that may never work to push a device beyond what it is capable of or to work with others and try ideas that may be wrong, go back to your default os and expect that anything out of SOP will get you the answer of "I am sorry we don't support that".

All of what you recommended I tried already, and no, it does not work. Then I started trying anything weird and irrational, and course that did not work.

You get to a certain point and realize: the OS does not work for this function.

Likewise, the WLAN0 -> tun0 did not work as well.

What I will look into is the 'dumb ap' documentation as that is exactly what I should have set up from the beginning since the device is not the main router of the home network, rather it's just a 'dumb ap'.

I reserve the right to hit back at trolls, that is why I did not bother to ask on reddit.com/r/openwrt, since reddit is nothing but trolls. Attacking is the best defence against these trolls, as one should do with any attempt at bullying.

Bullying? Trolls? Seriously? Come on now.

I agree with @psherman here, and by the way, concerning your comment:

he is no troll. If you browse this forum you will see he has spent a lot of time like on this forum helping many others including myself.

As I understand it (and I am by no means a networking expert, but I am pretty confident this applies), you have an AP that is downstream of your main router. You ought to set DHCP on the main router on the network in question, and have the AP set with a static address. Setting DHCP on the downstream AP in this context doesn't make much sense to me.

By way of example, I have set this up:

a main router with both a main network (br-lan - 192.168.1.1) and a guest network (br-guest - 192.168.2.1). I have an AP (well two actually, but let's just consider the first) connected to the main router that extends both these networks (br-lan - 192.168.1.2) and a guest network (br-guest - 192.168.2.2). The latter are set as static - and the main router allocates IP addresses to clients that connect to AP, not the AP. You should read up on the dumb AP stuff and also the Guest WiFi stuff here:

Also I push everything over WireGuard with exceptions for specific devices as required. You can do this by setting appropriate rules - see e.g. here:

Surely I am a troll too and this is also bullying, but it is meant well, like the contributions above.

3 Likes

This issue is easy to address.

  1. Install dnsmasq-full
opkg update; cd /tmp/ && opkg download dnsmasq-full && opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/ && rm -f /tmp/dnsmasq-full*.ipk
  1. Install pbr and luci-app-pbr
opkg install pbr luci-app-pbr
  1. Reboot.
    Then check luci under services -> Policy Routing.
    There you decide what goes out via VPN and what goes out via WAN.

Adios