Hello everyone,
I would like a portable router, where I use an opnsense router as a wireguard server and the openwrt router as a client. The opnsense wireguard server works as my laptop and phone can all connect to the wireguard server. With my openwrt wireguard client it is different, I have a handshake but no data and after one handshake the connection is gone.
this is now my network config.
The connection is now established and continues to work, but I notice that not all DNS requests go via the wirehuard connection. On the test site that tests add blocking, not 1 advertisement is blocked.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1e:c61:d23a::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config interface 'trm_wwan'
option proto 'dhcp'
option metric '100'
config interface 'trm_wwan6'
option device '@trm_wwan'
option proto 'dhcpv6'
config interface 'WG'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.50.50.3/32'
list dns '10.50.50.1'
config wireguard_WG
option description 'Imported peer configuration'
option public_key 'redacted'
option endpoint_host 'ip.famsnippe.nl'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
Since you have a dual stack wan you also need a VPN that supports IPv6. If the VPN service is IPv4 only you need to disable local v6 so that all Internet usage goes by v4.
If you do not have a VPN that supports IPv6 and you want to keep your IPv6 on your network the you can try to just setup the tunnel for IPv6.
That way you will stop the Leakage of IPv6 and usually your clients will fall back to IPv4
Okay update:
I had not yet set up wireguard for IPv6.
This is because dynamic DNS could not determine an IPv6 address. After messing around again it turned out that i had not assigned a prefix id to the wan in opnsense. After doing this, dynamic DNS was able to write an IPv6 address from the WAN to the AAAA DNS address. After this I was able to set up a working connection for Wireguard on both ipv6 and ipv4. My hostname refers to both. Only once again when a wiredeguard tunnel is set up with opnsense as host and openwrt as client, not all traffic is routed through the tunnel. Since the add-blocker tester indicates that almost nothing is blocked in terms of advertising. The add blocker that runs on opnsense is therefore bypassed.
Not sure how your ad blocker works but often it is done with DNS.
If that is the case your WireGuard client must be set to use your home DNS server as only DNS server!
However that could be complicated if the client is an OpenWRT router because this DNS server is not publicly available so you must first start the tunnel before you have DNS resolution but in order to start the tunnel you need DNS resolution for resolving correct date and endpoint.
There are workarounds for this problem but first we need to know if the DNS is the problem here.
To test you can use your WG servers IP address instead of DDNS address, as the router will try to estimate the time that usually is not a problem if you restart
and then set your home DNS server as only DNS server, reboot and see if the tunnel goes up and you have adblocking
For a phone or laptop this is no problem as the WG clients DNS server is only used after the tunnel is up.