Wireguard (client and server) and PBR

foxx99 · April 7, 2025, 12:09pm

Hello,
I try to get working two Wireguards interfaces, one working as client (Surfshark VNP) and second one working as server to connect from outside my home to my local network devices.
When I turn on wg-server interface, I don't have Internet access
Could you please help?

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "23.05.5 241021"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd09:eea6:500e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '10:7c:61:d9:d4:3a'

config device
        option name 'lan2'
        option macaddr '10:7c:61:d9:d4:3a'

config device
        option name 'lan3'
        option macaddr '10:7c:61:d9:d4:3a'

config device
        option name 'lan4'
        option macaddr '10:7c:61:d9:d4:3a'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr '10:7c:61:d9:d4:3a'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'XXXXXX'
        option password 'XXXXXX'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg_wawa'
        option proto 'wireguard'
        option private_key 'XXXXXX'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'
        option mtu '1412'
        option disabled '1'

config wireguard_wg_wawa
        option description 'Imported peer configuration'
        option public_key 'XXXXXX'
        option endpoint_host 'pl-waw.prod.surfshark.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key 'XXXXXX'
        option listen_port '55443'
        list addresses '172.22.22.1/24'
        option disabled '1'

config wireguard_wg_server
        option public_key 'XXXXXX'
        option private_key 'XXXXXX'
        list allowed_ips '172.22.22.2/32'
        option route_allowed_ips '1'
        option endpoint_port '55443'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option disabled '0'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Family'
        option encryption 'psk2'
        option key 'XXXXXX'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '111A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '140'
        option band '5g'
        option htmode 'HE80'
        option disabled '0'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Family'
        option encryption 'psk2'
        option key 'XXXXXX'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '111A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wg_wawa'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'allowed-55443'
        list proto 'udp'
        option src 'wan'
        option dest_port '55443'
        option target 'ACCEPT'

config zone
        option name 'wg_server'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_server'

config forwarding
        option src 'wg_server'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg_server'

config nat
        option name 'SNAT-WGserver'
        list proto 'all'
        option src 'lan'
        option src_ip '172.22.22.0/24'
        option target 'MASQUERADE'
        option enabled '1'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config forwarding
        option src 'wg_server'
        option dest 'lan'

egc · April 7, 2025, 1:31pm

Your default route is via the Wireguard client which is fine but traffic for the WireGuard server enters via the WAN and thus should also go out via the WAN instead of via the WireGuard client.

For that you need Policy Based Routing.
You can install the full PBR app and if you upgrade to version 1.1.8-r12 this will deal with the routing automatically or do it manually.

foxx99 · April 7, 2025, 2:02pm

Yesterday spent few hours looking for answer, it just didn't work anyway. Today turn on Wireguard VPN and server, using your wireguard-companion.sh and it's almost working like it should.
I'm using PBR 1.1.8-r12.

I can't get working allegro.pl website.

egc · April 7, 2025, 2:46pm

If you disable PBR and the WireGuard client and then reboot, can you then ping allegro.pl ?

foxx99 · April 7, 2025, 4:28pm

Yes, without Wireguard, it's working fine.

foxx99 · April 7, 2025, 9:47pm

After rebooting router I get:

errors and it takes few minutes before Internet get to work,
now allegro.pl is working properly but Amazon Prime list not.

Before setting my router two days ago, I did factory reset, then PPPoE, Wifi, PBR, Wireguard client and then Wireguard server.

egc · April 8, 2025, 5:41am

That is probably related to the pbr.user.aws script, do not use that but just try with the domain names as you are doing with allegro.pl

foxx99 · April 12, 2025, 11:04am

I turn of pbr.user.aws, instead I use another custom script found on PBR thread on forum (it's yours if I remember correctly), so Prime working great.

But I've got problem with allegro.pl again.
I did updated PBR to:

but it doesn't help.

And have another problem. Bigger one. Sometimes router loose Internet connection and I need to restart router few times before it's start working once again. Sometimes I need even 3 or 4 reboots, what could be a problem?

egc · April 12, 2025, 1:08pm

You need more than that to get to the root cause.

Is it a DNS problem or is it a network problem if so related to the wan or to the wireguard interface etc.
Start with reviewing your log and then basic network troubleshooting, ping, tracert, nslookup etc.

pluffmud · April 12, 2025, 1:35pm

you might want on investigate this

https://kaanlabs.com/fix-broken-wireguard-connection-after-openwrt-reboot/

foxx99 · April 13, 2025, 10:37am

Yesterday I disabled IPv6 protocol using this guide:

it's working smoothly since yesterday.
I don't know why wan6 is transfering data, even it's "stopped" and "disabled"

lleachii · April 13, 2025, 10:41am

It's showing statistics for eth1 (i.e. your IPv4 connection too).